https://community.splunk.com/t5/Splunk-Search/How-to-display-one-to-one-mapping-between-fields-in-stats/m-p/741028#M240522 <P>The <FONT face="courier new,courier">values</FONT> and <FONT face="courier new,courier">list</FONT> functions display results in lexicographic order and destroy any potential relationship among the fields.&nbsp; One solution is use <FONT face="courier new,courier">mvzip</FONT> to combine fields, group the results, then unzip the fields.</P><LI-CODE lang="markup">index=okta or index=network | iplocation (src_ip) | eval tuple = mvzip(src_ip, mvzip(deviceName, mvzip(City, Country))) | stats values(tuple) by user, index | eval fields = split(tuple, ",") | eval src_ip = mvindex(fields, 0), deviceName=mvindex(fields,1), City=mvindex(fields, 2), Country=mvindex(fields,3)</LI-CODE><P>A better approach might be to perform the <FONT face="courier new,courier">iplocation</FONT> command after <FONT face="courier new,courier">stats</FONT>.</P><LI-CODE lang="markup">index=okta or index=network | stats values(src_ip) as src_ip by user, index | mvexpand src_ip | iplocation (src_ip)</LI-CODE><P>&nbsp;</P> Thu, 06 Mar 2025 15:23:45 GMT richgalloway 2025-03-06T15:23:45Z https://community.splunk.com/t5/Splunk-Search/How-to-display-one-to-one-mapping-between-fields-in-stats/m-p/740541#M240451 <P>Hi there,&nbsp; how can i use stats command to one to one mapping between fields .&nbsp; I have tried "list" function and "values" function both but results are not expected.<BR />Example:&nbsp;we are consolidating data from 2 indexes and both indexes have same fields of interests ( user, src_ip)&nbsp;<BR />Base query:</P><P>&nbsp;</P><LI-CODE lang="markup">index=okta or index=network | iplocation (src_ip) |stats values(src_ip) values(deviceName) values(City) values(Country) by user, index</LI-CODE><P>&nbsp;</P><P><BR /><BR />Results:<BR />We get something like this<BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="20%" height="25px">user</TD><TD width="20%" height="25px">index</TD><TD width="20%" height="25px">src_ip</TD><TD width="20%" height="25px">DeviceName</TD><TD width="20%" height="25px">Country</TD></TR><TR><TD width="20%" height="25px">John_smith</TD><TD width="20%" height="25px">okta</TD><TD width="20%" height="25px">10.0.0.1<BR />192.178.2.24</TD><TD width="20%" height="25px">laptop01</TD><TD width="20%" height="25px">USA</TD></TR><TR><TD width="20%" height="25px">John_smith</TD><TD width="20%" height="25px">network</TD><TD width="20%" height="25px">198.20.0.14<BR />64.214.71.89<BR />64.214.71.90<BR />71.29.100.90</TD><TD width="20%" height="25px">laptop01<BR />laptop02<BR />server01<BR />My-CloudPC</TD><TD width="20%" height="25px">USA</TD></TR><TR><TD width="20%" height="25px">&nbsp;</TD><TD width="20%" height="25px">&nbsp;</TD><TD width="20%" height="25px">&nbsp;</TD><TD width="20%" height="25px">&nbsp;</TD><TD width="20%" height="25px">&nbsp;</TD></TR></TBODY></TABLE><P><BR />Expected results:<BR />How to map which <STRONG>src_ip</STRONG> is coming from which <STRONG>Devicename</STRONG>?&nbsp; We want to align the <STRONG>Devicename&nbsp;&nbsp;</STRONG>in same sequence as per the src_ip ?<BR /><BR />If i use <STRONG>list</STRONG> instead of <STRONG>values</STRONG> in my stats,&nbsp; it shows duplicates like this for src_ip and deviceName. Even doing a <STRONG>|dedup src_ip</STRONG> is not helping&nbsp;<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_0-1741004055398.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/37940iAE6BF846AAFFC397/image-size/large?v=v2&amp;px=999" role="button" title="neerajs_81_0-1741004055398.png" alt="neerajs_81_0-1741004055398.png" /></span></P><P>&nbsp;</P><P><BR /><BR />Hope clear.<BR /><BR /></P> Mon, 03 Mar 2025 12:14:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-one-to-one-mapping-between-fields-in-stats/m-p/740541#M240451 neerajs_81 2025-03-03T12:14:37Z https://community.splunk.com/t5/Splunk-Search/How-to-display-one-to-one-mapping-between-fields-in-stats/m-p/741028#M240522 <P>The <FONT face="courier new,courier">values</FONT> and <FONT face="courier new,courier">list</FONT> functions display results in lexicographic order and destroy any potential relationship among the fields.&nbsp; One solution is use <FONT face="courier new,courier">mvzip</FONT> to combine fields, group the results, then unzip the fields.</P><LI-CODE lang="markup">index=okta or index=network | iplocation (src_ip) | eval tuple = mvzip(src_ip, mvzip(deviceName, mvzip(City, Country))) | stats values(tuple) by user, index | eval fields = split(tuple, ",") | eval src_ip = mvindex(fields, 0), deviceName=mvindex(fields,1), City=mvindex(fields, 2), Country=mvindex(fields,3)</LI-CODE><P>A better approach might be to perform the <FONT face="courier new,courier">iplocation</FONT> command after <FONT face="courier new,courier">stats</FONT>.</P><LI-CODE lang="markup">index=okta or index=network | stats values(src_ip) as src_ip by user, index | mvexpand src_ip | iplocation (src_ip)</LI-CODE><P>&nbsp;</P> Thu, 06 Mar 2025 15:23:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-one-to-one-mapping-between-fields-in-stats/m-p/741028#M240522 richgalloway 2025-03-06T15:23:45Z