topic How to dedup a combination of two fields and get the count of unique values per host? in Splunk Search

How to dedup a combination of two fields and get the count of unique values per host?

mvasquez2 — Tue, 29 Sep 2020 12:17:20 GMT

We have devices that generate thousands of a particular entry. I created a daily search to summarize. I combined the src_int and dest_int into a single field labeled interfaces. What my boss wants is to see the total number of events per host, but only unique to the new field. The problem is he also wants to dedup the interfaces field even if the src_int and dest_int are reversed like this:

Here is the current search:

index=network  sourcetype="cisco:ios*"  (key_word="MAC_MOVE-SP-4-NOTIF" OR key_word="MAC_MOVE-SW1-4-NOTIF") 
|  eval Interfaces = src_int + "," + dest_int |  table host, Interfaces | sort host | dedup Interfaces

What I need is to somehow dedup the "Interfaces" field even if the 2 fields that make up the eval are reversed. I then need to add a count of unique "Interfaces" entries per host after the dedup.

Thanks!

Re: How to dedup a combination of two fields and get the count of unique values per host?

somesoni2 — Tue, 03 Jan 2017 19:19:34 GMT

Try something like this

index=network  sourcetype="cisco:ios*"  (key_word="MAC_MOVE-SP-4-NOTIF" OR key_word="MAC_MOVE-SW1-4-NOTIF") 
 |  eval Interfaces = mvsort(split(src_int + "," + dest_int,","))| nomv interfaces |  table host, Interfaces | sort host | dedup Interfaces

Re: How to dedup a combination of two fields and get the count of unique values per host?

mvasquez2 — Tue, 03 Jan 2017 20:42:21 GMT

OK. Almost there. This is awesome. All I need now is to add a column with the count of the number of events before the dedup.

thanks!

Re: How to dedup a combination of two fields and get the count of unique values per host?

mvasquez2 — Tue, 03 Jan 2017 21:11:43 GMT

actually it would be the # of events AFTER the dedup

Re: How to dedup a combination of two fields and get the count of unique values per host?

somesoni2 — Tue, 03 Jan 2017 22:59:42 GMT

Try this

 index=network  sourcetype="cisco:ios*"  (key_word="MAC_MOVE-SP-4-NOTIF" OR key_word="MAC_MOVE-SW1-4-NOTIF") 
  |  eval Interfaces = mvsort(split(src_int + "," + dest_int,","))| nomv interfaces |  table host, Interfaces | sort host | dedup Interfaces  | eventstats count

Re: How to dedup a combination of two fields and get the count of unique values per host?

mvasquez21 — Wed, 04 Jan 2017 14:58:07 GMT

I had tried that but it gives the same total for each line:

Host Interfaces Count
ns-s-972brus-6509c Gi7/37 47
Po246

ns-s-972brus-6509c Gi7/48 47
Po246

ns-s-972brus-6509c Gi4/25 47
Po246

ns-s-972brus-6509c Gi4/23 47
Po246

What I need is the count of the number of events for each pair of interfaces. For this search the total number of events was 47 so I would expect the count for each pair to add up to 47 total.

Thanks!

Re: How to dedup a combination of two fields and get the count of unique values per host?

somesoni2 — Wed, 04 Jan 2017 15:34:37 GMT

I should've pointed this one out, after dedup, there will be only 1 entry available for each interface, so I guess you need the count of events what was before the dedup. Try this:

index=network  sourcetype="cisco:ios*"  (key_word="MAC_MOVE-SP-4-NOTIF" OR key_word="MAC_MOVE-SW1-4-NOTIF") 
   |  eval Interfaces = mvsort(split(src_int + "," + dest_int,","))| nomv interfaces | stats count latest(host) as host by Interfaces | sort host

Re: How to dedup a combination of two fields and get the count of unique values per host?

mvasquez21 — Wed, 04 Jan 2017 18:37:46 GMT

Ah. I gotcha. This works though for the count. Thanks so much for your help!