Splunk list unique field top command, can be used to display the most common values of a field, along with their count and percentage. Here's an example: Mar 30, 2025 · To learn more about the fields command, see How the SPL2 fields command works. It is really tedious to have to type field-value pair after field-value pair just to search for a list of values in the same field. Oct 24, 2021 · What I am attempting to do is use this query for an alert and provide the list of server's but only when the # of servers in the distinct list returned in the above query is less than a specified #. Jan 26, 2012 · The most efficient way to get accurate results is probably: | eventcount summarize=false index=* | dedup index | fields index Just searching for index=* could be inefficient and wrong, e. Unfortunately, I only want the unique results of one set, not the unique results of both of them. 47CMri_3. This is my search: Jan 3, 2018 · I can obtain a list of fields within an index eg. Sep 14, 2021 · Just wanted to add, that those, who want all of their fields to be grouped, can use the asterisk -- instead of painstakingly enumerating them all (and then re-enumerating, when the field-set changes). In my table of results there might be different IP's for the same username which are listed down in the single IP cell. I'm not trying to run a search against my data as seen through the eyes of any particular datamodel. Splunk Get Unique Values is a Splunk command that returns a list of unique values from a field in a Splunk search. On first look, I thought your solution was as efficient as it can get. The order of the values is lexicographical. but not the total count. The field names must be enclosed in square brackets ( [ ] ). This is my first query: The notable event includes fields specific to this creation method. The country has to be grouped into Total vs Total Non-US. This works for all regular fields -- but not for the special ones (like _time), those still must be listed explicitly: Apr 6, 2017 · I can use stats dc() to get to the number of unique instances of something i. Really all I'm trying to get is a count of the non-repeated fields. The distinctIPs value is the number of IP values that that row's ACCOUNT field was accessed by. The search syntax field::value is a great quick check, but playing with walklex is definitely worth the time, and gets my vote, as it is the ultimate source of truth and will be a great trick to add to your Splunk Ninja arsenal! Sep 4, 2014 · Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. | fields host, src. Jul 16, 2024 · The answer can depend on data characteristics. someFieldname index=firewall sourcetype=firewall1 fieldnames: host, source, srcip, dest, etc etc. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers. Should be simple enough, just not for me. Solved: I want to get unique values in the result. Splunk List Unique Values is a Splunk search command that returns a list of all unique values for a specified field. g. So what I want to do is make a unique list of values combined into one column, of all of the fields values. Jan 18, 2012 · values(X) This function returns the list of all distinct values of the field X as a multi-value entry. In the following example, the mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count Mar 30, 2025 · Description: A single field name or a comma-delimited list of field names. May 13, 2019 · Solved: I know I am for sure over-complicating this. index=yourindex| fieldsummary | table field or index=yourindex | stats values(*) AS * | transpose | table column | rename column AS Fieldnames or index=yourindex | stats dc() as * | transpose or ;-) index=yourindex | table * Apr 3, 2014 · I have a set of records with multiple duplicate values across two fields X, and Y. If more than 100 values are in a field, only the first 100 are returned. Login succeeded for user: a1b2 Login succeeded for user: c3d4 Login succeeded for user: e5f6 Login succeeded for user: a1b2 Jun 20, 2019 · Solved: Hi, I am looking to create a search that allows me to get a list of all fields in addition to below: | tstats count WHERE index=ABC by index, Home Join the Community Mar 16, 2018 · I am working on query to retrieve count of unique host IPs by user and country. conf. Please find below the example of my result table: Username---------------------- The Splunk Get Unique Values command will return a list of unique values for the specified field. someSourcetype. Mar 27, 2018 · Hi I have a query which runs and results me the list of Ip's in a table format grouped by username. status owner: Correlation search fields: Fields related to the correlation search that returned the notable event May 8, 2019 · Searching for different values in the same field has been made easier. Usage Nov 19, 2013 · Hi. First try |stats values(*) as * This will give all the data in single row as multivalued fields. Apr 3, 2013 · furthermore, if we are only interested in a summary the field values (say to search on where certain named fields appear), we can aggregate those. How do i get a total count of distinct values of a field ? For example, as shown below Splunk shows my "aws_account_id" field has 100+ unique values. If the field has no values, this function returns NULL. Is this possible? Maybe this is better illustrated through an example. firewall1. Specify a list of fields to remove from the search results Aug 7, 2019 · So I'm trying to get a distinct count of source mac addresses by device. values(X) Returns the list of all distinct values of the field X as a multi-value entry. The list function returns a multivalue entry from the values in a field. fields command, keeps fields which you specify, in the output. I cannot figure out how to do this. I am trying to extract the colon (:) delimited field directly before "USERS" (2nd field from the end) in the log entries below: 14-07-13 12:54:00. Aug 5, 2021 · I'm trying to do a search in Splunk in which I'm trying to narrow it down to a unique substring. See Usage. Nov 29, 2023 · Returns the sum of the squares of the values of the field X. Either way, the JSON must be in the correct format. (AA_12345 for example). Oct 12, 2012 · stats values (fieldname) by itself works, but when I give the command as stats values (*), the result is all the fields with all distinct values, fields with null values also get displayed which kind of beats my purpose, which is to select and display those fields which have at least one non null value. What I'm trying to do is run some sort of search in Splunk (rest perhaps) to pull out the fields defined in any loaded datamodel. eval userids=userid+","+userid If the field contains a single value, this function returns 1. But I want the count of occurrences of each of the unique instances i. Th Syntax: BY <field-list> Description: The name of one or more fields to group by. Use the sort command to sort the results based on the numbers in the sort_field. For example, events such as email logs often have multivalue fields in the To: and Cc: information. This search is returning the domains individually, but they are showing up as an entry in each "count" (see the Actual Results below). So far I have below query which works but its very slow. Usage. destport . , distinct values of "Field B" grouped by distinct values of "Field A". Given a set of events like this: Jul 8, 2010 · Since the original answer in 2010, we now have the fieldsummary command, so you can list the fields from a search: yoursearchhere | fieldsummary This command provides a lot more info than just the field names, though. Mar 12, 2020 · Hi! I'm trying to create a search that would return unique values in a record, but in one list. 0 Karma Jul 12, 2019 · Solved: Hi, I'm using this search: | tstats count by host where index="wineventlog" to attempt to show a unique list of hosts in the. To see only unique events, use the dedup command to remove duplicates. index=myIndex container_name="abc-mno-pqr" "status code :: 50*" | dedup transactionId Nov 16, 2017 · I am searching the my logs for key IDs that can either be from group 'AA' or group 'BB'. Anyone know of Jul 4, 2013 · The solution here is to create the fields dynamically, based on the data in the message. The order of the values reflects the order of the events. Return only the host and src fields from the search results. It gets its answer from looking at metadata in . I figured stats values() would work, and it does but I'm getting hundred of thousands of results. One <row-split> field and one <column-split> field. : 224: UC. Nov 16, 2017 · I am searching the my logs for key IDs that can either be from group 'AA' or group 'BB'. I was able to calculate the number of emails for each type, but not unique email addresses. But piping into: st Mar 9, 2021 · Ok so I'm coming from a Splunk background and I'm trying to replicate a search using Kibana. Join the Community This function processes field values as numbers if possible, otherwise processes field values as strings. I will be configuring the alert to trigger when the results are > 0 since the trigger condition will be in the query and not the alert. First, I'd like the list of unique values for a multivalue field, then alongside each unique value, I'd like the count of occurrences of that value. The results will be displayed in a table, with each unique value listed in a separate row. Using fields, you can write tailored searches to retrieve the specific events that you want. the number of orders associated with each of those unique customers. A multivalue field is a field that contains more than one value. There is a bit magic to make this happen cleanly. Use with or without a BY clause. Syntax. Mar 12, 2013 · What I'm looking for is a hybrid of the stats list() and values() functions. Not all events have the same fields and field values. 1. I would like to extract JSON unique field values. Oct 23, 2014 · Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. orig_action_name orig_sid orig_rid: Incident review activity fields: Fields related to the notable event on Incident Review. For improper JSON, you can use rex to extract fields. We then pipe these rows through eventStats so that each row will get a 'distinctIPs' field. Thank you Splunk! For example, suppose in the "error_code" field that you want to locate only the codes 400, 402, 404, and 406. Please try to keep this discussion focused on the content covered in this documentation topic. How can I do this? Aug 5, 2024 · This seems to work when trying to find unique values for a field, like 'host': * | chart count by host Mar 15, 2018 · uniq Removes any search that is an exact duplicate with a previous result. These searches empower Splunk users without requiring SPL knowledge. I only want to show unique key IDs in the table. Dec 20, 2010 · remoteaccess host="ny-vpn" | fields + Message. Then click the "Event Table" box-looking icon just above the results (the center one) and that should then only show the timestamp and the Message field. Specifically, Atlas Search Library offers a curated list of optimized searches. However, you want to list those individual fields as the same field which could require some eval and case statements. My task is to calculate the number of all unique email addresses for each type ( message. When you add a field to the Selected Fields list, the field name and field value are included in the search results. dataset<field-list> The function syntax returns only the specified fields in each event that match your search criteria. var(X) Returns the sample variance of the field X. Usage Jul 16, 2024 · The answer can depend on data characteristics. I use a lot of SearchSelectLister modules in my dashboard. My problem is that the May 25, 2010 · In theory, Splunk should have automatically extracted the srcip and dstip as fields. Use the case function to assign a number to each unique value and place those values in the sort_field. If the values in the field are non-numeric, the minimum value is found using lexicographical ordering. Sep 28, 2011 · I want to filter out any events where there is a repeat of the particular field - so basically only return unique values. The search "basesearch | table scn*" would come up with a table where I have values across scn01 to scn20. This command can be used to identify the most common values in a field, or to find values that are unique to a specific subset of data. Nov 6, 2018 · Give this a try your_base_search | top limit=0 field_a | fields field_a count. Sep 17, 2014 · This is my first time using splunk and I have 2 questions. To add fields to the Selected Fields list, click All Fields at the top of the Fields sidebar. What is that exact 100+ number ? If i hover my mouse on the field, it shows Top 10 values etc. For example they first select an host, and with this host they select a sourcetype etc I have a lot of SearchSelectLister and ConvertToIntention nested and its works well. It should go over all the message fields and May 4, 2016 · I want to list about 10 unique values of a certain field in a stats command. e. The basic commands to get a list of unique values is to use the chart and dedup command. list field are unique for each event. You reduced a large dataset (billions of events) to a much smaller dataset, i. index=pan_logs sourcetype=pan:traffic | head 1 | fieldsummary | table field | mvcombine delim=", " field | nomv field Apr 15, 2015 · Assuming you're using field extraction to create the multivalued field, you may be able to use a calculated field to tweak it's value, but it's something you'd need to play with to know for certain. Type field) for all events I got with search. If you have any field in your data by which you can group it then use that field in by clause. I have webserver request logs containing browser family and IP address – so should be able to get a count of different & distinct user-browsers by browser family – i. firewall. current Syntax: current=<boolean> Description: If true, the search includes the given, or current, event in the summary calculations. An example of my query so far would be: host=node-1 AND "userCache:" Jul 26, 2023 · The events are displayed because they were sent to Splunk and nothing in the query removes them. The order of the values is alphabetical. srcip firewall. Evaluate and manipulate fields with multiple values About multivalue fields. Users select values to refine a search. You can use this function with the chart, stats, and timechart commands. 2. Mar 28, 2022 · Solved: Hi, I have the following JSON String logs. unique customers. index=myIndex container_name="abc-mno-pqr" "status code :: 50*" | dedup transactionId. Dec 10, 2018 · With the stats command, you can specify a list of fields in the BY clause, all of which are <row-split> fields. In other words I'd May 24, 2012 · I'd like to build up a list of unique user id's that call a service. Multivalue fields are parsed at search time, which Dec 8, 2023 · Hello, I am working on a search to find domains queried via a particular host, and list out a count of hits per unique domain on the host, along with the username. |stats values(*) as * by your_field_name Jul 27, 2015 · If Splunk is already identifying the field 'sid' for you as multivalued field for events having multiple values of it, try this:- your base search | where mvcount(sid)=2 AND mvindex(sid,0)!=mvindex(sid,1) If the field sid is not extracted by Splunk automatically, try this Jul 4, 2013 · How to get a distinct count across two different fields. This function processes field wc-field-list Syntax: <field> Description: A single field name or a space-delimited list of field names. 096 STATS: maint. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. dest firewall. Furthermore, you can create, customize, and maintain your own search library. v1:7:USERS We would like to show you a description here but the site won’t allow us. Thanks Aug 25, 2016 · Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Sep 16, 2022 · Hi, Fundamentals question but one of those brain teasers. Apr 22, 2020 · message. I only want the first ten! Of course, a top command or simple head command won't work Jan 23, 2018 · My splunk server is receiving metrics from collectd. Example: Extracted Field= [Direction] However, I don't know all the possible outcomes, so I would like to list out all the values North West South East North East East Does anyone have an idea how I can gen A few different queries / methods to list all fields for indexes. This command can be used to identify and troubleshoot data anomalies, perform data analysis, and create reports. yoursearchhere | fieldsummary | fields field Oct 26, 2015 · I've read about the pivot and datamodel commands. The srcmac gives me the mac address The devtype gives me the type of device like Windows, Mac, Android etc. Specify a list of fields to include in the search results. Breaking down the following search in english, we take the unique combinations of ACCOUNT and IP (using stats). then use the Pick Fields link on the left to pick the fields and save. I find them by using rex and then display them in a table. Jul 14, 2014 · I'd like to be able to extract a numerical field from a delimited log entry, and then create a graph of that number over time. Otherwise, you can use the spath command in a query. When I run the search below it gives a count of all events, it looks like where there's both a srcmac and a devtype. I tried: | set diff [search tag= May 13, 2019 · If you want the actual list of unique addresses, try this: splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip) Or: splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats count by src_ip To also get the number of events for each unique address. The important part of the splunk query displays unique values for a given field by way of creating a multi- Jan 2, 2018 · So Splunk introduced the _bkt field (around the same time as indexer clustering, if I remember correctly. I want to build a table showing the metrics, dimensions, and values emitted for each unique Oct 19, 2012 · How do you use this in, say, a custom app's input panel? If I try running the 'rest /services/data/indexes' search, I get "No results found", even with the time set to "All time". You can use this function with the stats, eventstats, streamstats, and timechart commands. Please help. Here is the process: Aug 29, 2019 · Use the eval command to create a new field, which we'll call sort_field. I would like to write a splunk query to find distinct X, and its corresponding Y value. someIndex. For example, if you want to specify all fields that start with "value", you can use a wildcard such as value*. So you might want to do this. Additional internal fields are included in the output with the outputcsv command. What do I have to put in the 'populatingSearch' element to make sure May 1, 2024 · To access more Splunk searches, check out Atlas Search Library, which is part of the Atlas Platform. , if one index contains billions of events in the last hour, but another's most recent data is back just before midnight, you would either miss out on the second index, or have to retrieve all billions of Apr 12, 2016 · Hello, I am trying to make a search that will return the messages from logs from one set, but not from the other. This command can be used to troubleshoot problems, to identify trends, and to generate reports. Nov 29, 2023 · Fields are searchable name and value pairings that distinguish one event from another. The final result would be something like below - UserId, Total Unique Hosts, Total Non-US Unique Hosts user1, 42, 54 user2, 23, 95. I need to find values that are in field x, that are not in field y. Some of those key IDs are duplicates. list(<value>) Description. So I think that is akin to set A - Set B in set theory. how many different users are using Safari for example. Please provide the example other than stats. fields [+|-] <wc-field-list> Required arguments <wc-field-list> Syntax: <field Apr 23, 2012 · The output of the splunk query should give me: USERID USERNAME CLIENT_A_ID_COUNT CLIENT_B_ID_COUNT 11 Tom 3 2 22 Jill 2 2 Should calculate distinct counts for fields CLIENT_A_ID and CLIENT_B_ID on a per user basis. You can designate other fields to appear in the Selected Fields list. The list of fields must be a comma-separated list. See Incident review activity fields. The Select Fields dialog box shows a list of fields in your events. May 13, 2010 · |tstats values(<indexed__field_name>) where index=<index_name> will totally avoid going over any events. The Splunk Get Distinct Values command is a powerful tool that can be used to get a list of all the unique values in a field, or to get a list of all the unique values in a field that meet a certain criteria. May 6, 2021 · The fields can be extracted automatically by specifying either INDEXED_EXTRACTION=JSON or KV_MODE=json in props. Home. I've tried using stats to subtract the distinct count from the normal count, but that still includes the repeated items. Jan 14, 2016 · Thanks for this. For just a single field, you could probably do this: Jul 8, 2013 · Solved: I want the list in the dropdown to be unique values in a form. Default: true global Syntax: global=<boolean> Nov 16, 2017 · I am searching the my logs for key IDs that can either be from group 'AA' or group 'BB'. ) And it always returns the same bucket name, even if the hostname changes (because it uses a GUID not a hostname). Can you give a comparison o The function syntax returns all of the fields in the events that match your search criteria. So if the values in your example are extracted as a multi-valued field called, say, "foo", you would do something like: Nov 22, 2016 · Good Morning, Fellow Splunkers I'm looking to list all events of an extracted field one time. By default, the internal fields _raw and _time are included in output in Splunk Web. Dec 19, 2022 · That unique_field is just for reference. Jan 4, 2019 · great answer by lowell in that first link, and definitely worth reading the indexed extractions docs through. So taking these results, how would I join the index and sourcetype pair for each field name so I would end up with something like this:. If false, the search uses the field value from the previous event. First of all, say I have when I enter a certain search (" Login succeeded for user: ") I get the following 4 values. Keeps or removes fields from search results based on the field list criteria. The syntax for the stats command BY clause is: BY <field-list> For the chart command, you can specify at most two fields. index=bind_queries | stats values(*) AS * | transpose | table column | rename column AS Fieldnames and a list of all indexes, | eventcount summarize=false index=* index=_* | dedup index But I'm struggling to successfully join the two. tsidx files, so no perf hit for scanning events. Basic example | eval n=mvcount(myfield) Extended example. If I use eval to just concatenate the next user id, I'd end up with duplicates. You can use the Splunk Get Unique Values command to perform a variety of tasks, including: Identifying the most common values in a field. I am completely lost, and May 25, 2012 · Here's the best approach I can think of. pcpnxlbmclrencnwxfcznqjtzrfpnqjqzgsoifpaywyuysciakxzpenauthgocvausdfifisjg