Filter Search - Only Results with One Field Value...

bcarr12 · ‎05-02-2013

Hi all,

Is there any quick/straightforward way to filter results of a search so that only search results that have one occurrence of a field in them are displayed.

For example, I have a search that returns results where some have one occurrence of "transaction id" (always a unique number) and other results have multiple occurrences within that one result entry. I am trying to filter my search so it only includes results with one transaction id. What would be the best way to do this? Is this something that defining a transaction could help with?

Ayn · ‎05-02-2013

If multiple ID's result in a multivalued field containing the respective values, you could do:

yourbasesearch | where mvcount(transaction_id)=1

bcarr12 · ‎05-02-2013

Hmm...I ran the search with this command but the results did not change. I apologize I cannot post the exact search and results due to the data generated, but the overall idea is that some results look like this:

....transaction_id=123456789....

while other results look like this:
...transaction_id:02345678....transaction_id:0028746553...transaction_id:9948777553...

So the idea is that I would only want to return results that have one transaction_id field value in them, as opposed to ones where there are multiple transaction_id occurrences in one result.

Filter Search - Only Results with One Field Value per Entry

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!