https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211051#M61718 <P>Hi, </P> <P>I have a requirement to use display first row for every ACCNO.any Ideas?</P> <P>query:<BR /> I used some transaction command |table ACCNO,VALUE</P> <P>ACCNO VALUE<BR /> 1 100<BR /> 1 110<BR /> 2 125<BR /> 2 134<BR /> 2 143<BR /> 3 156<BR /> 3 123<BR /> 4 124<BR /> 5 567<BR /> 5 129 <BR /> 5 345</P> <P>EXPECTED OUTPUT:</P> <P>ACCNO VALUE<BR /> 1 100<BR /> 2 125<BR /> 3 156<BR /> 4 124<BR /> 5 567</P> Wed, 03 Aug 2016 18:09:39 GMT mprreddy51 2016-08-03T18:09:39Z https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211051#M61718 <P>Hi, </P> <P>I have a requirement to use display first row for every ACCNO.any Ideas?</P> <P>query:<BR /> I used some transaction command |table ACCNO,VALUE</P> <P>ACCNO VALUE<BR /> 1 100<BR /> 1 110<BR /> 2 125<BR /> 2 134<BR /> 2 143<BR /> 3 156<BR /> 3 123<BR /> 4 124<BR /> 5 567<BR /> 5 129 <BR /> 5 345</P> <P>EXPECTED OUTPUT:</P> <P>ACCNO VALUE<BR /> 1 100<BR /> 2 125<BR /> 3 156<BR /> 4 124<BR /> 5 567</P> Wed, 03 Aug 2016 18:09:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211051#M61718 mprreddy51 2016-08-03T18:09:39Z https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211052#M61719 <P>Try any of these</P> <PRE><CODE> some transaction command |table ACCNO,VALUE | dedup ACCNO some transaction command |table ACCNO,VALUE | stats first(VALUE) as VALUE by ACCNO </CODE></PRE> Wed, 03 Aug 2016 18:12:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211052#M61719 somesoni2 2016-08-03T18:12:10Z https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211053#M61720 <P>@somesoni2</P> <P>Hi Somesh,</P> <P>can we use first(duration) or last(duration) in timechart command?I want to pick only first value in duration</P> <P>like sampledata:</P> <P>_time duration<BR /> 2016-08-02 12:00:00 11.848000<BR /> 12.031000<BR /> query:<BR /> transaction command| timechart span=1m list(duration) as duration</P> <P>thanks.</P> Wed, 03 Aug 2016 20:46:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211053#M61720 mprreddy51 2016-08-03T20:46:47Z https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211054#M61721 <P>You're using list function with timechart, so you'd be getting a multivalued field duration for minutes where there is multiple duration. This list will be sorted by the time. So if you want to pick up only a single value, first or last, from this multivalued list, try like this for getting first/oldest duration for that min</P> <PRE><CODE>transaction command| timechart span=1m list(duration) as duration | eval duration=mvindex(duration,0) </CODE></PRE> <P>Replace<CODE>| eval duration=mvindex(duration,0)</CODE> with <CODE>| eval duration=mvindex(duration,-1)</CODE> for last/latest duration for that min</P> Wed, 03 Aug 2016 21:06:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-ONLY-first-row-for-each-value-in-table/m-p/211054#M61721 somesoni2 2016-08-03T21:06:11Z