https://community.splunk.com/t5/Splunk-Search/How-do-I-get-distinct-values-for-a-derived-field-in-a-search/m-p/53693#M13058 <P><A href="http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions">http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions</A></P> <PRE><CODE>values(X) This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical. </CODE></PRE> <P>So if the values in your example are extracted as a multi-valued field called, say, "foo", you would do something like:</P> <PRE><CODE>... | stats values(foo) </CODE></PRE> Wed, 18 Jan 2012 21:03:32 GMT Ayn 2012-01-18T21:03:32Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-distinct-values-for-a-derived-field-in-a-search/m-p/53692#M13057 <P>Good afternoon all,</P> <P>I have a datasource that I've used transforms.conf and props.conf to create a "field" derived from a comma-delimited portion of each event. How do I get a list of the distinct values?</P> <P>For example, if I have three events:<BR /><BR /> [A, B, C, D]<BR /><BR /> [D, E, F, G]<BR /><BR /> [A, G, C, Z] </P> <P>How do I get a resultset that gives me "A", "B", "C", "D", "E", "F", "G", "Z" and no counts or any other information?</P> <P>I already have the transforms.conf and props.conf pulling out the values for the "tags", but not a way to say "Here are all of the values for that field". In SQL, I'd use "SELECT DISTINCT TEXT FROM MYTAGS...", but I don't know about the Splunk query values.</P> Wed, 18 Jan 2012 19:09:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-distinct-values-for-a-derived-field-in-a-search/m-p/53692#M13057 wwhitener 2012-01-18T19:09:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-distinct-values-for-a-derived-field-in-a-search/m-p/53693#M13058 <P><A href="http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions">http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions</A></P> <PRE><CODE>values(X) This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical. </CODE></PRE> <P>So if the values in your example are extracted as a multi-valued field called, say, "foo", you would do something like:</P> <PRE><CODE>... | stats values(foo) </CODE></PRE> Wed, 18 Jan 2012 21:03:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-distinct-values-for-a-derived-field-in-a-search/m-p/53693#M13058 Ayn 2012-01-18T21:03:32Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-distinct-values-for-a-derived-field-in-a-search/m-p/53694#M13059 <P>I guess I went the wrong way around it then.<BR /> source="mysource.log" | stats count by myfield | fields myfield<BR /> It was to populate a form dropdown, so ultimately even the "fields" functions is not really needed for what I wanted.<BR /> Thanks for the answer! I'll try it your way too.</P> Wed, 18 Jan 2012 21:06:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-distinct-values-for-a-derived-field-in-a-search/m-p/53694#M13059 wwhitener 2012-01-18T21:06:21Z