Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with Splunk query

Mrig342
Contributor
‎01-27-2021 08:25 PM

Hi,

I have created  the below table using the query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State"

App_Name    App_State

abc                    Stopped

cde                    Running

abc                    Running

xyz                    Stopped

the                    Running

abc                   Partially running

abc                   Stopped

xyz                    Running

the                    Running

abc                   Running

and so on.

Here I want to create the table in the below format(the app_state should not repeat for a particular app_name but should be shown once per app_name):

App_Name    App_State

abc                    Running

abc                    Partially running

abc                    Stopped

cde                    Running

xyz                    Running

xyz                    Stopped

the                    Running

I used the "dedup" command along with my above query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State | dedup App_Name"

But I am getting this below output:

App_Name    App_State

abc                    Running

cde                    Running

xyz                    Running

the                    Running

Please help me create the query to get the output in the desired way.

Thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎01-27-2021 08:36 PM

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎01-27-2021 08:36 PM

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

Reply
Solved! Jump to solution

Mrig342
Contributor
‎01-27-2021 10:30 PM

Hi 493669,

Thank you for the prompt response. It worked...!!

Your support is much appreciated...!!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-27-2021 08:34 PM 
| makeresults
| eval _raw="App_Name    App_State
abc                    Stopped
cde                    Running
abc                    Running
xyz                    Stopped
the                    Running
abc                   Partially running
abc                   Stopped
xyz                    Running
the                    Running
abc                   Running"
| multikv forceheader=1 
| table App_*
| reverse
| sort App_Name
| dedup App_Name App_State
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...