Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Result of subsearch field repeated instead of displaying unique values

mahbs
Path Finder
‎01-18-2018 01:26 AM

Hi,

I have a could of fields that contain multiple values, and I am trying to seperate them into sepereate records. The following query works 90%. The only issue is that the last field in the subsearch is not displaying the unique valeus, for example it may contain the value: 2,3 but it will only display 2. Every other field works fine in terms of displaying all the unique values per record. This is the current query I have:

index=index sourcetype=csv source=src1 host=host1 
 | stats count by ITEM field2 field3 field4 
 | rename field2 as F_2 field3 as F_3 field4 as F_4 
 | join ITEM 
     [ search index=index sourcetype=csv source=src2 host=host2 
     | stats count by SKU c_2 c_3 c_4 
     | rename SKU as ITEM | rename c_2 as C_2 c_3as C_3 c_4as C_4 ] 
 | eval DIFF1=F2-C_2 
 | eval DIFF2=F_3-C_3 
 | sort limit=0 ITEM 
 | table ITEM, F_2, F_3, F_4, c_2, c_3, c_4, DIFF1, DIFF2

Can someone suggest what I can do to fix the problem?

Thanks

Tags (1)
0 Karma
Reply

cmerriman
Super Champion
‎01-18-2018 06:07 AM

if your fields are a multivalued list, splunk only brings back the first value. try adding |nomv C_4 at the end of your subsearch to convert it to a single value. you can also try having |mvcombine delim="," C_4 before the nomv to add a comma between the values.

http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Mvcombine
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Nomv

0 Karma
Reply

493669
Super Champion
‎01-18-2018 01:34 AM

could you specify in detail which subsearch is not displaying unique values and what is the output you are getting and what is expected?

0 Karma
Reply

mahbs
Path Finder
‎01-18-2018 01:40 AM

Hi,
yep, the sub-search is where source=src2. Essentially C_4has multiple values, and im trying to seperate these values into seperate records which is working for the most part, but c_4 for some reason isn't displaying all the multiple values, it's just repeating, where as all the other fields are displaying the multiple data.

This is the output I want:
ITEM: 1234 F_2=22 F_3=21 F_4=23
ITEM: 1234 C_2=1 C_3=2 C_4=2

I hope that makes sense

0 Karma
Reply

493669
Super Champion
‎01-18-2018 01:53 AM

could you please run only subsearch i.e.

search index=index sourcetype=csv source=src2 host=host2
| stats count by SKU c_2 c_3 c_4
| rename SKU as ITEM | rename c_2 as C_2 c_3 as C_3 c_4 as C_4

what output you are getting and what is expeced...

0 Karma
Reply

mahbs
Path Finder
‎01-18-2018 01:56 AM

I'm getting a list of all the data for the fields I have specified in the query

0 Karma
Reply

mahbs
Path Finder
‎01-18-2018 01:56 AM

There's also count column at the end

0 Karma
Reply

493669
Super Champion
‎01-18-2018 02:07 AM

do you require count field else you should remove it using |fields - count

0 Karma
Reply

mahbs
Path Finder
‎01-18-2018 02:16 AM

yeah but that's not the problem at the moment

0 Karma
Reply

493669
Super Champion
‎01-18-2018 02:21 AM

also why you are renaming same field in subsearch....else query looks fine ..if you could share dummy data for source=src2 and src1 then I can try

0 Karma
Reply

mahbs
Path Finder
‎01-18-2018 01:42 AM

I'm not sure if the join is working properly

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...