Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display only one row with duplicated columns

splunkkid
Path Finder
‎02-03-2021 12:58 AM

Hello,

I am trying to build Splunk Dashboard with my logs in splunk. The rows are like below.

 

[row 1]

{

 "id" : 123,
 "name" : "A",
 "sub_id" : 444,
 "count" : 25 

}

 

[row 2]

{

 "id" : 123,
 "name" : "A",
 "sub_id" : 445,
 "count" : 25 

}

 

As you can see, some of my results have the column with id value is same but sub_id is different.

I need to sum(count) only once if "id" is different, but the results came out as duplicated(not exactly twice, some results have same id with 3 or 4rows, So dividing by 2 is not a good solution.)

 

I want to build timechart with above data and made SPL like below.

host=[HOST] index=[INDEX] sourcetype=[SOURCETYPE] source=[SOURCE] | bucket span=1d _time | chart limit=0 sum(vm.count) as VM by _time

 

So, How could I sum count data if the id is same? Thank you,

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-03-2021 02:55 AM

So using the first vm.count for each vm.id in each bucket would give you the counts you need to sum?

host=[HOST] index=[INDEX] sourcetype=[SOURCETYPE] source=[SOURCE] 
| bucket span=1d _time 
| stats first(vm.count) as vm.count by _time vm.id
| chart limit=0 sum(vm.count) as VM by _time

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-03-2021 02:36 AM

When id is the same, are name and count also the same, only sub_id is different?

0 Karma
Reply
Solved! Jump to solution

splunkkid
Path Finder
‎02-03-2021 02:46 AM

@ITWhisperer 

Yes, you're correct. I want to sum count only once by ID(But not grouping), and create timechart.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-03-2021 02:55 AM

So using the first vm.count for each vm.id in each bucket would give you the counts you need to sum?

host=[HOST] index=[INDEX] sourcetype=[SOURCETYPE] source=[SOURCE] 
| bucket span=1d _time 
| stats first(vm.count) as vm.count by _time vm.id
| chart limit=0 sum(vm.count) as VM by _time
Reply
Solved! Jump to solution

splunkkid
Path Finder
‎02-03-2021 03:20 AM

Thank you! That is correct!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...