Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Need help with Splunk query

Mrig342
Contributor
‎01-27-2021 08:25 PM

Hi,

I have created  the below table using the query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State"

App_Name    App_State

abc                    Stopped

cde                    Running

abc                    Running

xyz                    Stopped

the                    Running

abc                   Partially running

abc                   Stopped

xyz                    Running

the                    Running

abc                   Running

and so on.

Here I want to create the table in the below format(the app_state should not repeat for a particular app_name but should be shown once per app_name):

App_Name    App_State

abc                    Running

abc                    Partially running

abc                    Stopped

cde                    Running

xyz                    Running

xyz                    Stopped

the                    Running

I used the "dedup" command along with my above query "index=main host="abcde" | rex field=_raw "(?ms)Label\s+Name\s:\s(?<App_Name>\w+\S+)" | rex field=_raw "(?ms)Sync\sState\s:\s(?<App_State>[\w\s]+\w)\s+Number" | table App_Name,App_State | dedup App_Name"

But I am getting this below output:

App_Name    App_State

abc                    Running

cde                    Running

xyz                    Running

the                    Running

Please help me create the query to get the output in the desired way.

Thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎01-27-2021 08:36 PM

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎01-27-2021 08:36 PM

@Mrig342  Try below

 

...|stats values(App_State) as App_State by App_Name|mvexpand App_State

 

 

Reply
Solved! Jump to solution

Mrig342
Contributor
‎01-27-2021 10:30 PM

Hi 493669,

Thank you for the prompt response. It worked...!!

Your support is much appreciated...!!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-27-2021 08:34 PM 
| makeresults
| eval _raw="App_Name    App_State
abc                    Stopped
cde                    Running
abc                    Running
xyz                    Stopped
the                    Running
abc                   Partially running
abc                   Stopped
xyz                    Running
the                    Running
abc                   Running"
| multikv forceheader=1 
| table App_*
| reverse
| sort App_Name
| dedup App_Name App_State
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...