Hi All -
I have a search that returns a userID and their associated groupIDs. I am just wanting the userID and their FIRST (read: smallest) groupID
So if you have
userID groupID
userA 22
userA 33
userA 44
userB 11
userB 22
...
I would like to return
userA 22
userB 11
...
My basic search looks like this:
sourcetype=source
When I dedup on userID, groupID I get everything (as this is looking for a the unique combo of userID and groupID)
Hope that I explained this properly.
Thanks, Mike
OK - what I was able to determine was that if I use the stats min(goupID) command that solves my problem. Nothing like writing down your issue and walking away from it to have it appear right in front of you.
For completeness- the search would look like
sourcetype=source
There's also the "sortby" component of the dedup command
|dedup by userID sortby -groupID
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Dedup
OK - what I was able to determine was that if I use the stats min(goupID) command that solves my problem. Nothing like writing down your issue and walking away from it to have it appear right in front of you.
For completeness- the search would look like
sourcetype=source