Solved: How to display events in table format when same va...

rkeq0515 · ‎05-22-2020

Is there a way to display events in a table when the same value appears multiple times with other values?
I am looking for user accounts that appear on two or more systems.

The following is a list of records:

I have been trying different queries based off of the follow but I cant seem to get the correct syntax. I can get a count on field 1 and/or field 2, but I am not able to pull just those events listed above and the attributes accompanying (field3, field4, etc.) the events.

1. index="myindex"
2. | stats count by field1 field2
3. | where count > 1
4. | table count field1 field2 field3
5. | sort - count

to4kawa · ‎05-22-2020

 index="myindex"
| eventstats dc(field1) as counts by field2
| where counts > 1
| table as_you_like

How about this?

View solution in original post

to4kawa · ‎05-22-2020

 index="myindex"
| eventstats dc(field1) as counts by field2
| where counts > 1
| table as_you_like

How about this?

How to display events in table format when same value appears multiple times?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms