Example:
userid: 123 should have a unique pin # and no other pin #s.
sometimes during a transaction userid's are assigned two pin #s by mistake. Alert when a userid has more than one pin #
transaction 1:
userid: 123
pin#: abc
transaction 2:
userid: 123
pin#: def
...| stats dc(pin), values(pin) by user| search dc(pin) > 1
Maybe?
stats count(pin) AS COUNT by userid |search COUNT > 1
Looks like i was 4 seconds late in drafting the answer 🙂
I like your use of dc
better than mine. I think it would be less problematic.
The take-away for asaprobo is, make a search that should only return counts of 1, and have a subsearch to return results greater than 1 and alert on that.