Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

comparing values of same field for duplicate

ramyaashok
New Member
‎10-20-2020 05:46 AM

Hi,

I am creating a dashboard like below, and want to check for duplicates in a particular column.

table is how dashboard will look initially, and later if the file value will be "adcdefghi", I want the status to be changed to data collected.  could anyone help me with this. 

appfilestatus
oneabcdefghiwaiting for data
two jklmnopq

waiting for data

Labels (1)
Labels
0 Karma
Reply

t_shreya
Path Finder
‎10-20-2020 06:38 AM

Hi @ramyaashok 

I think you can use eventstats to calculate the number of occurrences of 'file' and then use eval to check if they are greater than 1 to set the status column as 'Data collected'. It would look something like this:

..| eventstats count as duplicates by file
| eval status = if(duplicates>1,"Data collected","waiting for data")
| table app, file, status

 

0 Karma
Reply

ramyaashok
New Member
‎10-21-2020 01:51 AM

Thanks Shreya, it worked.. 

had one more doubt as well. please have look if you could help.

job

time

file

status

one

10:50

abc

waiting

two

11:30

def

waiting

three

11:45

hij

Waiting

 

now, if there is a job four is going to have file name as "def", i dont want it to be added to next line. instead i want is like table 2 below. if file name is same, want the status to be changed to collected and also other values added to table horizontally. 

 

jobtimefilestatusjob2time2
one10:50abcwaiting  
two11:30defcollectedfour12:00
three11:45hijwaiting  
0 Karma
Reply

t_shreya
Path Finder
‎10-21-2020 06:54 AM

Hi @ramyaashok ,

I'm not sure how to create a table exactly in the way that you want.

But it is possible to create a table in the following format:

filestatusname_of_job1name_of_job2name_of_job_3name_of_job_4
abcwaitingtime_of_job1   
defcollected time_of_job2 time_of_job4
hijwaiting  time_of_job3 

 

by using the following query:

your_results| eventstats count as duplicates by file
| eval status = if(duplicates>1,"Data collected","waiting for data")
| table file, status
| join file
    [| search your_results
    | chart values(_time) over file by job limit=10]

you can increase/decrease the limit parameter to put a threshold on the number of columns to be shown.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...