Splunk Search

returns only results that have a repeated field

tony_cb
New Member

I need a query that returns only results that have a repeated field.

My search:
index=abc AND component=yyy AND key=vegas_gateway_insert_order

Results Example:
Dec 9 08:58:16 localhost 2014-12-09 08:58:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test1@gmail.com
Dec 9 08:59:16 localhost 2014-12-09 08:59:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test2@gmail.com
Dec 9 08:60:16 localhost 2014-12-09 08:60:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000000, email=test3@gmail.com

I just want the results that repeat the idt_order field, like below result:
Dec 9 08:58:16 localhost 2014-12-09 08:58:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test1@gmail.com
Dec 9 08:59:16 localhost 2014-12-09 08:59:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test2@gmail.com

Thanks for the help!

0 Karma
1 Solution

wangweibee
Explorer

I think, extract the field "idt_order", then use transaction. for example, "| transaction dt_order". good luck!

View solution in original post

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Transaction is an expensive when searching large data sets, especially when you don't set any limits. The preferred method to perform the search is with eventstats.

index=abc AND component=yyy AND key=vegas_gateway_insert_order | eventstats count AS ecount by idt_order | where ecount > 1
0 Karma

tony_cb
New Member

That works perfectly!

Thanks.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Please mark as accepted if this answers your question completely. Thanks!

0 Karma

wangweibee
Explorer

I think, extract the field "idt_order", then use transaction. for example, "| transaction dt_order". good luck!

0 Karma

tony_cb
New Member

@wangweibee, thanks for quick reply.

But, how do it? You can help me a bit more ?

Thanks,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...