topic Re: How to use dedup on a field, but aggregate all other values in another field? in Splunk Search

How to use dedup on a field, but aggregate all other values in another field?

Presh — Tue, 12 Jan 2016 16:42:51 GMT

I am running a search to identify all users and the URLs they have connected to. The result includes duplicate users, but different URLs. I would like to dedup the users field, but have it list all URLs each user as connected to.

The results currently look like this:

User       URLS
Mak        Cnn.com
Mak        Google.com
Mak        Yahoo.com
Bam        Aljazeera.com
Bam        BBC.com

I would like it to look like this;

User       URLS
Mak        Cnn.com
           Google.com
           Yahoo.com
Bam        Aljazeera.com
           BBC.com

I hope this makes sense.

The current search is .... | table user src_user. If I use the dedup value against the src_user, I lose all the URLs except for one that associates with each user returned in the dedup function.

Thanks,

Re: How to use dedup on a field, but aggregate all other values in another field?

javiergn — Tue, 12 Jan 2016 17:02:31 GMT

| yourquery
| stats list(URLS) as URLS by User

Re: How to use dedup on a field, but aggregate all other values in another field?

javiergn — Tue, 12 Jan 2016 17:03:40 GMT

Note that list won't do dedup on URLs, you can use values instead if you want this to happen:

| inputcsv mycsv.csv
| stats values(URLS) as URLS by User

Re: How to use dedup on a field, but aggregate all other values in another field?

Presh — Tue, 12 Jan 2016 20:30:58 GMT

Thanks Javiergn, it works.