topic Re: Display in table each unique value and additional field? in Splunk Search

Display in table each unique value and additional field?

splunk_95 — Tue, 25 Jul 2017 09:43:55 GMT

Hi all,

I am a very new splunk user and would like to conduct produce a table with of each unique ID and the corresponding error message.

For context, each 'event' looks similar to this:

'Date (?) name (?) error details'

So I have managed to extract the ID and ErrorID, but there are often multiple events of the same ID as that particular doc gets updated.

My thinking was to get each unique value of ID and then the corresponding ErrorID, but im not sure how will splunk know which particular event of say (ID=123) to use for the ErrorID (note that for say all 5 instances of ID=123, ErrorID would most likely be the same).

Would one way be telling it to use the first instance of ID to display ErrorID?

I have searched through threads but no one has quite as what I need I believe, I think I may need to use 'Dedup' but not entirely how to make it get the corresponding ErrorID

Cheers everyone - literally any help would be appreciated.

Re: Display in table each unique value and additional field?

mdsnmss — Tue, 25 Jul 2017 14:39:36 GMT

I believe you are right in using dedup. You can specify multiple fields to dedup by and I think that is what you need:

| dedup ID ErrorID

This will give you all of the possible unique combinations of ID and ErrorID

Re: Display in table each unique value and additional field?

woodcock — Tue, 25 Jul 2017 15:29:38 GMT

Dedup will give you the most recently occurring event for each combination, if you need the first event, just add | reverse before | dedup ....

Re: Display in table each unique value and additional field?

splunk_95 — Tue, 25 Jul 2017 16:51:55 GMT

Thanks - out of interest would you know how I could replicate this in a timechart? Im thinking of using dc(distinct count) something like:
dc(ID,ErrorID)? But do you think there would be a better way?
Or is there a way of getting the number of instances of unique combinations? Thinking of maybe using evaland assign a variable this value then usingstats count

Re: Display in table each unique value and additional field?

woodcock — Tue, 25 Jul 2017 17:55:21 GMT

Create an amalgam field with | eval amalgam = ID . "::::" . ErrorID and timechart with dc(amalgam).

Re: Display in table each unique value and additional field?

DalJeanis — Tue, 25 Jul 2017 21:06:53 GMT

As a general case, I've found dedup to be expensive, and I haven't been able to figure out in what cases it is and when it isn't. As long as the events have a _time value, you can use stats with earliest(foo) to get the first value of variable foo.

your search that gets _time, uniqueID and errorID
| stats min(_time) as _time, earliest(errorID) as errorID by uniqueID