Solved: How do I combine unique values of a field into one...

srizan · ‎11-29-2018

I am trying to make a report with the unique combination of ID, AVER SRV, ZONE, IPADDR & host. Unfortunately, I am getting lots of duplicate values because I have multiple values for ZONE, IPADDR & host. Currently, I am using 3 different queries in Splunk and joining the table with SRV later. However, is there anyway I can combine multiple values of those fields in one field each so I won't have lots of duplication.

Currently I am using the following query:
I have a query that re

source=*prod*
| dedup SRV AVER ZONE  
| fields + SRV , IVER, AVER, ZONE 
| stats values(ZONE) as ZONE by SRV AVER  
| nomv ZONE 
| eval ZONE=replace(ZONE,"\s",",")

source=*prod*
| dedup SRV IPADDR
| fields +  SRV IPADDR
| stats values(IPADDR) as IPADDR by SRV 
| nomv IPADDR 
| eval IPADDR =replace(IPADDR ,"\s",",")

source=*prod*
| dedup SRV host
| fields + SRV , host
| stats values(host) as host by SRV 
| nomv host 
| eval host=replace(host,"\s",",")

srizan · ‎11-30-2018

Surprisingly it worked after I switched values(IPADDR ) at the end.
Before I was doing the following

    source=*prod*
     | dedup SRV AVER ZONE  
     | fields + SRV , IVER, AVER, ZONE 
     | stats values(ZONE) as ZONE, values(IPADDR) as IPADDR, values(host) as host by SRV AVER  
     | nomv ZONE 
     | eval ZONE=replace(ZONE,"\s",",")
     | nomv IPADDR 
     | eval IPADDR =replace(IPADDR ,"\s",",") 
     | nomv host 
     | eval host=replace(host,"\s",",")

It worked after I switched place between host & IPADDR:

  source=*prod*
 | dedup SRV AVER ZONE  
 | fields + SRV , IVER, AVER, ZONE 
 | stats values(ZONE) as ZONE, values(host) as host,  values(IPADDR) as IPADDR by SRV AVER  
 | nomv ZONE 
 | eval ZONE=replace(ZONE,"\s",",")
 | nomv host 
 | eval host=replace(host,"\s",",")
 | nomv IPADDR 
 | eval IPADDR =replace(IPADDR ,"\s",",")

I am not sure why did this happen? Can anyone explain me the difference, and why it might not have worked. BTW, when I tried the first command, it did not even show the host field at all in the final output.

View solution in original post

srizan · ‎11-30-2018

Surprisingly it worked after I switched values(IPADDR ) at the end.
Before I was doing the following

    source=*prod*
     | dedup SRV AVER ZONE  
     | fields + SRV , IVER, AVER, ZONE 
     | stats values(ZONE) as ZONE, values(IPADDR) as IPADDR, values(host) as host by SRV AVER  
     | nomv ZONE 
     | eval ZONE=replace(ZONE,"\s",",")
     | nomv IPADDR 
     | eval IPADDR =replace(IPADDR ,"\s",",") 
     | nomv host 
     | eval host=replace(host,"\s",",")

It worked after I switched place between host & IPADDR:

  source=*prod*
 | dedup SRV AVER ZONE  
 | fields + SRV , IVER, AVER, ZONE 
 | stats values(ZONE) as ZONE, values(host) as host,  values(IPADDR) as IPADDR by SRV AVER  
 | nomv ZONE 
 | eval ZONE=replace(ZONE,"\s",",")
 | nomv host 
 | eval host=replace(host,"\s",",")
 | nomv IPADDR 
 | eval IPADDR =replace(IPADDR ,"\s",",")

I am not sure why did this happen? Can anyone explain me the difference, and why it might not have worked. BTW, when I tried the first command, it did not even show the host field at all in the final output.

srizan · ‎11-30-2018

So far I was able to combine 2 of those into one stats, introducing third value(X) as X would not yeild the last field in the final result. Here is what the query looks like:

 source=*prod*
| dedup SRV AVER ZONE  
| fields + SRV , IVER, AVER, ZONE 
| stats values(ZONE) as ZONE values(IPADDR) as IPADDR by SRV AVER  
| nomv ZONE 
| eval ZONE=replace(ZONE,"\s",",")
| nomv IPADDR 
| eval IPADDR =replace(IPADDR ,"\s",",")

How do I combine unique values of a field into one for multiple fields?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor