- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How find how many inquiry is assigned to particula...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How find how many inquiry is assigned to particular person?
Suppose we are inquiry id as 1,2,3,4,5,6,7,8,9,10 and these are assigned to some person p1,p2,p3,p4.
Then 1,2,3,5 inquiry is assigned to p1 , 4,6 assigned to p2,7,8,9, assigned to p3 and 10 assigned to p4.
So the question is how to display person's having more than 1 inquiry assigned to them.
And we do not know about person name and inquiry,It is just present in database.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pal_sumit1, without details like sample data and field names and your existing query etc. it is difficult to assist you. However, based on your question seems like you are asking for something like the following. PS: dc() aggregate function gives distinct count.
<yourbasesearch> person=* inquiry=*
| stats dc(inquiry) as inquiryCount by person
| search inquiryCount >1
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes,you are right,I am also doing like this.But is there is another way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please let us know the reason to look for another way to do this? Is there performance issue or different use case?
To me it seems correct way to identify persons you are interested in. You can also use values() to show unique values of inquiries
<yourbasesearch> person=* inquiry=*
| stats dc(inquiry) as inquiryCount values(inquiry) as inquiries by person
| search inquiryCount >1
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pal_sumit1 if this addresses your need, please accept the answer to mark this question as answered. If not please let us know any further queries that you may have!
| makeresults | eval message= "Happy Splunking!!!"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
