https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473231#M133186 <P>@to4kawa thanks. We saw the doc and probably we missed something: can you show us the point in the doc answering our question? </P> <P>We don't understand how to refactor our query in order to be 8.x compatible.</P> <P>Thanks</P> Tue, 18 Feb 2020 08:08:40 GMT piefragnisp 2020-02-18T08:08:40Z https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473229#M133184 <P>Hi,</P> <P>we are testing a 8.* of Splunk version using a docker image on a POC virtual machine to migrate our 7.3.4 dev cluster.</P> <P>We've noticed there is a change in <CODE>values</CODE> function in <CODE>tstats</CODE> command:</P> <UL> <LI><STRONG>7.3.4 version</STRONG> the <CODE>values</CODE> function can have no inputs params</LI> <LI><STRONG>8.x version</STRONG> the <CODE>values()</CODE> function must have an input param</LI> </UL> <P>so - for example - for a query like this:</P> <P><CODE>| tstats values where index=our_index by fieldA, fieldB | rename fieldA as A, fieldB as B| where like(A,"%some_criteria%") OR like(A,"%some_criteria%") | dedup A | dedup B</CODE></P> <P>we have some difficults understanding the equivalent search in a 8.x Splunk. We tried a query like this one:</P> <P><CODE>| tstats values(fieldA), values(fieldB) where index=our_index by fieldA, fieldB | rename fieldA as A, fieldB as B| where like(A,"%some_criteria%") OR like(A,"%some_criteria%") | dedup A | dedup B</CODE></P> <P>but we don't know if it's the right way because in the output we have two more columns:</P> <UL> <LI>values(A)</LI> <LI>values(B)</LI> </UL> <P>with the same values of columns A and B. Do you have any suggest for this particular case or any docs in order to study these changes?</P> <P>Thanks a lot.</P> Mon, 17 Feb 2020 15:38:43 GMT https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473229#M133184 piefragnisp 2020-02-17T15:38:43Z https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473230#M133185 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Tstats">tstats v8</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.4/SearchReference/Tstats">tstats v7</A></P> <P>changed</P> Mon, 17 Feb 2020 22:14:45 GMT https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473230#M133185 to4kawa 2020-02-17T22:14:45Z https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473231#M133186 <P>@to4kawa thanks. We saw the doc and probably we missed something: can you show us the point in the doc answering our question? </P> <P>We don't understand how to refactor our query in order to be 8.x compatible.</P> <P>Thanks</P> Tue, 18 Feb 2020 08:08:40 GMT https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473231#M133186 piefragnisp 2020-02-18T08:08:40Z https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473232#M133187 <P>both example #9 is easy to understand.</P> <PRE><CODE>| tstats values(fieldA) as A, values(fieldB) as B where index=our_index | where like(A,"%some_criteria%") OR like(A,"%some_criteria%") </CODE></PRE> <P>your query is like above.</P> Tue, 18 Feb 2020 09:20:03 GMT https://community.splunk.com/t5/Splunk-Search/Changes-in-values-function-from-8-x-version/m-p/473232#M133187 to4kawa 2020-02-18T09:20:03Z