Splunk Search

returns only results that have a repeated field

tony_cb
New Member

I need a query that returns only results that have a repeated field.

My search:
index=abc AND component=yyy AND key=vegas_gateway_insert_order

Results Example:
Dec 9 08:58:16 localhost 2014-12-09 08:58:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test1@gmail.com
Dec 9 08:59:16 localhost 2014-12-09 08:59:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test2@gmail.com
Dec 9 08:60:16 localhost 2014-12-09 08:60:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000000, email=test3@gmail.com

I just want the results that repeat the idt_order field, like below result:
Dec 9 08:58:16 localhost 2014-12-09 08:58:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test1@gmail.com
Dec 9 08:59:16 localhost 2014-12-09 08:59:16 INFO index=abc component=yyy key=vegas_gateway_insert_order, idt_order=000000001, email=test2@gmail.com

Thanks for the help!

0 Karma
1 Solution

wangweibee
Explorer

I think, extract the field "idt_order", then use transaction. for example, "| transaction dt_order". good luck!

View solution in original post

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Transaction is an expensive when searching large data sets, especially when you don't set any limits. The preferred method to perform the search is with eventstats.

index=abc AND component=yyy AND key=vegas_gateway_insert_order | eventstats count AS ecount by idt_order | where ecount > 1
0 Karma

tony_cb
New Member

That works perfectly!

Thanks.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Please mark as accepted if this answers your question completely. Thanks!

0 Karma

wangweibee
Explorer

I think, extract the field "idt_order", then use transaction. for example, "| transaction dt_order". good luck!

0 Karma

tony_cb
New Member

@wangweibee, thanks for quick reply.

But, how do it? You can help me a bit more ?

Thanks,

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...