I'm trying to do a search in Splunk in which I'm trying to narrow it down to a unique substring.
An example of my query so far would be:
host=node-1 AND "userCache:"
Which returns something like this:
Time Event
06/04/2021-blah Cache miss: userCache: tjohnson
host=node-1
06/04/2021-blah Cache miss: userCache: sbaca
host=node-1
06/04/2021-blah Cache miss: userCache: tjohnson
host=node-1
What I want to do, though, is to return only one unique value based on what comes after userCache:
In the above example, only two results would be returned - one for tjohnson and one for sbaca. The additional tjohnson would be stripped since there is already a tjohnson in the results.
Any suggestions?
Thanks much
That calls for the dedup command, which removes duplicates from the search results. First, however, we need to extract the user name into a field. We'll do that using rex.
index=foo ```Always specify an index``` host=node-1 AND "userCache:"
| rex "userCache:\s*(?<user>\w+)"
| dedup user