Solved: Creating table by same unique id

abdulvehhaba · ‎11-04-2017

Hi

I have data like this

I want to dedup (group) uuid and create a price table in same row

acharlieh · ‎11-04-2017

Depending on what exactly you are expecting, there are at least a couple of different ways you could accomplish this:

<base search> | stats list(price) as price list(market) as market by uuid

This one uses Multivalue functions to give you the pairs of price and market

<base search> | chart limit=0 latest(price) over uuid by market

This one would have a row per uuid, with the price for each market in different columns by using the chart function.

I used the following as a base search to simulate your data:

| makeresults count=6 | streamstats count | eval uuid=if(count<=3,"A","B"), market=case(count%3=1,"MarketA",count%3=2,"MarketB",1=1,"MarketC"), price=random()

View solution in original post

acharlieh · ‎11-04-2017

Depending on what exactly you are expecting, there are at least a couple of different ways you could accomplish this:

<base search> | stats list(price) as price list(market) as market by uuid

This one uses Multivalue functions to give you the pairs of price and market

<base search> | chart limit=0 latest(price) over uuid by market

This one would have a row per uuid, with the price for each market in different columns by using the chart function.

I used the following as a base search to simulate your data:

| makeresults count=6 | streamstats count | eval uuid=if(count<=3,"A","B"), market=case(count%3=1,"MarketA",count%3=2,"MarketB",1=1,"MarketC"), price=random()

abdulvehhaba · ‎11-05-2017

| chart limit=0 latest(price) over uuid by market

solve my problem thx, but it show only uuid and price i cannot see date, time etc

Creating table by same unique id

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience