Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter Search - Only Results with One Field Value per Entry

bcarr12
Path Finder
‎05-02-2013 01:55 PM

Hi all,

Is there any quick/straightforward way to filter results of a search so that only search results that have one occurrence of a field in them are displayed.

For example, I have a search that returns results where some have one occurrence of "transaction id" (always a unique number) and other results have multiple occurrences within that one result entry. I am trying to filter my search so it only includes results with one transaction id. What would be the best way to do this? Is this something that defining a transaction could help with?

0 Karma
Reply

Ayn
Legend
‎05-02-2013 02:00 PM

If multiple ID's result in a multivalued field containing the respective values, you could do:

yourbasesearch | where mvcount(transaction_id)=1
Reply

bcarr12
Path Finder
‎05-02-2013 02:10 PM

Hmm...I ran the search with this command but the results did not change. I apologize I cannot post the exact search and results due to the data generated, but the overall idea is that some results look like this:

....transaction_id=123456789....

while other results look like this:
...transaction_id:02345678....transaction_id:0028746553...transaction_id:9948777553...

So the idea is that I would only want to return results that have one transaction_id field value in them, as opposed to ones where there are multiple transaction_id occurrences in one result.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...