PainIsAMaster
Reputation: 2076
Get distinct results (filtered results) of Splunk Query based on a results field/string value
I have a splunk query something like
index=myIndex* source="source/path/of/logs/*.log" "Elephant"
Thus, this brings up about 2,000 results which are JSON responses from one of my APIs that include the world "Elephant". This is kind of what I want - However, some of these results have duplicate carId fields, and I only want Splunk to show me the unique search results
The Results of Splunk looks something like this:
MyApiRequests {"carId":3454353435,"make":"toyota","year":"2015","model":"camry","value":25000.00}
NOW, I just want to filter on the carId's that are unique. I don't want duplicates. Thus, I would expect the original value of 2,000 results to decrease quite a bit.
Can anyone help me formulate my Splunk Query to achieve this?
Upvotes: 9
Views: 62605
Answers (2)
warren
Reputation: 33435
stats will be your friend here.
Consider the following:
index=myIndex* source="source/path/of/logs/*.log" "Elephant" carId=*
| stats values(*) as * by carId
Upvotes: 10
Mads Hansen
Reputation: 66714
You could use dedup
index=myIndex* source="source/path/of/logs/*.log" "Elephant" | dedup carId
Upvotes: 9
Related Questions
- splunk query based on log stdout
- How to extract a field from a Splunk search result and do stats on the value of that field
- Splunk: Group by certain entry in log file
- Splunk conditional distinct count
- Filtering duplicate entries from Splunk events
- Splunk - Get Prefefined Outputs Based on the event count and event data
- Extracting certain fields from Splunk query results
- Splunk query formulation for unique records as per specific fields
- Splunk breakdown results by matched search phrase
- Splunk query to filter results