topic Re: group same values into one value in Splunk Search

How to group same values into one value?

sekhar463 — Thu, 29 Dec 2022 04:06:12 GMT

Good day,

how to group results of a same filed value into one fileld value

from below table i have a field box-name and in the multiple value of same

how can i group same value into one value as below table for same value in BOX_NAME field how can i keep as one value

i am using search to table the results

index=indexname sourcetype=sourename | eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | table BOX_NAME,JOB_NAME,JOB_GROUP,REGION,TIMEZONE,STATUS,Currenttime,STATUS_TIME,LAST_START,LAST_END,NEXT_START,DAYS_OF_WEEK,EXCLUDE_CALENDAR,RUNTIME,Actualstarttime,Job_start_by,START_SLA,AVG_RUN_TIME

BOX_NAME JOB_NAME JOB_GROUP REGION TIMEZONE STATUS

PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-60ZIP	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-040INF	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-080DEL	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-010ARC	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-025FW	JAWS	Central	SUCCESS

Re: group same values into one value

gcusello — Mon, 26 Dec 2022 16:09:23 GMT

Hi @sekhar463,

I'm not sure to have understood your need, you could dedup using one field or use stats:

index=indexname sourcetype=sourename | eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M") | stats values(JOB_NAME) AS JOB_NAME values(JOB_GROUP) AS JOB_GROUP values(REGION) AS REGION values(TIMEZONE) AS TIMEZONE values(STATUS) AS STATUS values(Currenttime) AS Currenttime values(STATUS_TIME) AS STATUS_TIME values(LAST_START) AS LAST_START values(LAST_END) AS LAST_END values(NEXT_START) AS NEXT_START values(DAYS_OF_WEEK) AS DAYS_OF_WEEK values(EXCLUDE_CALENDAR) AS EXCLUDE_CALENDAR values(RUNTIME) AS RUNTIME values(Actualstarttime) AS Actualstarttime values(Job_start_by) AS Job_start_by values(START_SLA) AS START_SLA values(AVG_RUN_TIME) AS AVG_RUN_TIME BY BOX_NAME

Ciao.

Giuseppe

Re: group same values into one value

sekhar463 — Tue, 27 Dec 2022 08:37:56 GMT

hi Thanks for the search

i am getting expected results

but for somevalues are missing it was showing only Unique values for any field

for example for RUNTIME field it will show 10 values for 10 JOB_NAME field

but not showing for all of them like below is the out put values but showing only few

0
2
0
2
33
33
33
33
33
33
34
34
34
33
34
35
34
32
34
34
35
34
33
34
33
33
34
33
34
33
34
33
33
34
184
34
33
184
34
34
64
814
94
5
33
33
33
34
34
34
1053
33

Re: group same values into one value

PickleRick — Tue, 27 Dec 2022 09:00:07 GMT

It's not entirely clear what you mean.

If you want to have a "multirow" cell in your output visualization - kind of "groupping" of the rest of the row data - you can't do that. At least not with any of the built-in visualizations.

Re: group same values into one value

gcusello — Tue, 27 Dec 2022 09:01:01 GMT

Hi @sekhar463,

if you don't want unique values but the list of values, you have to replace the values option with the list option, as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions

Ciao.

Giuseppe