Splunk Search

Deduping results to return smallest groupID for every userID

lehrfeld
Path Finder

Hi All -

I have a search that returns a userID and their associated groupIDs. I am just wanting the userID and their FIRST (read: smallest) groupID

So if you have

userID groupID
userA 22
userA 33
userA 44
userB 11
userB 22
...

I would like to return
userA 22
userB 11
...

My basic search looks like this:
sourcetype=source | table userID, groupID

When I dedup on userID, groupID I get everything (as this is looking for a the unique combo of userID and groupID)

Hope that I explained this properly.

Thanks, Mike

Tags (3)
0 Karma
1 Solution

lehrfeld
Path Finder

OK - what I was able to determine was that if I use the stats min(goupID) command that solves my problem. Nothing like writing down your issue and walking away from it to have it appear right in front of you.

For completeness- the search would look like
sourcetype=source | stats min(groupID) by userID

View solution in original post

0 Karma

ltawfall
Path Finder

There's also the "sortby" component of the dedup command

|dedup by userID sortby -groupID

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Dedup

lehrfeld
Path Finder

OK - what I was able to determine was that if I use the stats min(goupID) command that solves my problem. Nothing like writing down your issue and walking away from it to have it appear right in front of you.

For completeness- the search would look like
sourcetype=source | stats min(groupID) by userID

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...