Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter Search - Only Results with One Field Value per Entry

bcarr12
Path Finder
‎05-02-2013 01:55 PM

Hi all,

Is there any quick/straightforward way to filter results of a search so that only search results that have one occurrence of a field in them are displayed.

For example, I have a search that returns results where some have one occurrence of "transaction id" (always a unique number) and other results have multiple occurrences within that one result entry. I am trying to filter my search so it only includes results with one transaction id. What would be the best way to do this? Is this something that defining a transaction could help with?

0 Karma
Reply

Ayn
Legend
‎05-02-2013 02:00 PM

If multiple ID's result in a multivalued field containing the respective values, you could do:

yourbasesearch | where mvcount(transaction_id)=1
Reply

bcarr12
Path Finder
‎05-02-2013 02:10 PM

Hmm...I ran the search with this command but the results did not change. I apologize I cannot post the exact search and results due to the data generated, but the overall idea is that some results look like this:

....transaction_id=123456789....

while other results look like this:
...transaction_id:02345678....transaction_id:0028746553...transaction_id:9948777553...

So the idea is that I would only want to return results that have one transaction_id field value in them, as opposed to ones where there are multiple transaction_id occurrences in one result.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...