Dashboards & Visualizations

Need help with Splunk query

Mrig342
Contributor

Hi,

I have created  the below table using the query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State"

App_Name    App_State

abc                    Stopped

cde                    Running

abc                    Running

xyz                    Stopped

the                    Running

abc                   Partially running

abc                   Stopped

xyz                    Running

the                    Running

abc                   Running

and so on.

Here I want to create the table in the below format(the app_state should not repeat for a particular app_name but should be shown once per app_name):

App_Name    App_State

abc                    Running

abc                    Partially running

abc                    Stopped

cde                    Running

xyz                    Running

xyz                    Stopped

the                    Running

I used the "dedup" command along with my above query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State | dedup App_Name"

But I am getting this below output:

App_Name    App_State

abc                    Running

cde                    Running

xyz                    Running

the                    Running

Please help me create the query to get the output in the desired way.

Thank you.

Labels (1)
0 Karma
1 Solution

493669
Super Champion

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

View solution in original post

493669
Super Champion

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

Mrig342
Contributor

Hi 493669,

Thank you for the prompt response. It worked...!!

Your support is much appreciated...!!

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="App_Name    App_State
abc                    Stopped
cde                    Running
abc                    Running
xyz                    Stopped
the                    Running
abc                   Partially running
abc                   Stopped
xyz                    Running
the                    Running
abc                   Running"
| multikv forceheader=1 
| table App_*
| reverse
| sort App_Name
| dedup App_Name App_State
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...