I need a query that returns only results that have a repeated field.
My search:
index=abc AND component=yyy AND key=vegas_gateway_insert_order
Results Example:
Dec 9 08:58:16 localhost 2014-12-09 08:58:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test1@gmail.com
Dec 9 08:59:16 localhost 2014-12-09 08:59:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test2@gmail.com
Dec 9 08:60:16 localhost 2014-12-09 08:60:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000000, email=test3@gmail.com
I just want the results that repeat the idt_order field, like below result:
Dec 9 08:58:16 localhost 2014-12-09 08:58:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test1@gmail.com
Dec 9 08:59:16 localhost 2014-12-09 08:59:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test2@gmail.com
Thanks for the help!
I think, extract the field "idt_order", then use transaction. for example, "| transaction dt_order". good luck!
Transaction is an expensive when searching large data sets, especially when you don't set any limits. The preferred method to perform the search is with eventstats.
index=abc AND component=yyy AND key=vegas_gateway_insert_order | eventstats count AS ecount by idt_order | where ecount > 1
That works perfectly!
Thanks.
Please mark as accepted if this answers your question completely. Thanks!
I think, extract the field "idt_order", then use transaction. for example, "| transaction dt_order". good luck!
@wangweibee, thanks for quick reply.
But, how do it? You can help me a bit more ?
Thanks,