Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Need help with Splunk query

Mrig342
Contributor
‎01-27-2021 08:25 PM

Hi,

I have created  the below table using the query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State"

App_Name    App_State

abc                    Stopped

cde                    Running

abc                    Running

xyz                    Stopped

the                    Running

abc                   Partially running

abc                   Stopped

xyz                    Running

the                    Running

abc                   Running

and so on.

Here I want to create the table in the below format(the app_state should not repeat for a particular app_name but should be shown once per app_name):

App_Name    App_State

abc                    Running

abc                    Partially running

abc                    Stopped

cde                    Running

xyz                    Running

xyz                    Stopped

the                    Running

I used the "dedup" command along with my above query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State | dedup App_Name"

But I am getting this below output:

App_Name    App_State

abc                    Running

cde                    Running

xyz                    Running

the                    Running

Please help me create the query to get the output in the desired way.

Thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎01-27-2021 08:36 PM

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎01-27-2021 08:36 PM

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

Reply
Solved! Jump to solution

Mrig342
Contributor
‎01-27-2021 10:30 PM

Hi 493669,

Thank you for the prompt response. It worked...!!

Your support is much appreciated...!!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-27-2021 08:34 PM 
| makeresults
| eval _raw="App_Name    App_State
abc                    Stopped
cde                    Running
abc                    Running
xyz                    Stopped
the                    Running
abc                   Partially running
abc                   Stopped
xyz                    Running
the                    Running
abc                   Running"
| multikv forceheader=1 
| table App_*
| reverse
| sort App_Name
| dedup App_Name App_State
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...