Knowledge Management

String concatentation (strcat command) is duplicating results

dbcase
Motivator

Hi,

I have this data

Properties: {   [-] 
         analyticsConfigs:  {   [+] 
        }   
         appVersion:     9.0.0  
         buildTarget:    blah   
         category:   Event  
         networkStatus: {   [-] 
         NT:     3  
        }   
         osName:     iOS    
         platformData:  {   [-] 
         BL:     1  
         BP:     87 
         FF:     1  
         HC:     Apple  
         HM:     iPhone7,2  
         HS:     3oiH88BN7fhGnT45o4s3NVO2rhbUBkTU8J74xBdGuJUMYytJqZQg9c1R_hIObb5wc1CKyNDXepajsVXA   
         LL:     en 
         LO:     US 
         OJ:     10.3.3 
         OS:     1  
         SA:     49953583104    
         ST:     63989493760    
         SU:     14035910656    
         UI:     17812487-32B5-4544-93F8-A3031EB2B0A6   
        }   
    }   
     analyticType:   SessionStart   
     buildTarget:    blah   
     clientSessionId:    DXFOS-CARQDTE  

and this query

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|stats count by oo

the query "works" but it appears that strcat is duplicating values because the results look like this

Android Android 6.0.1 6.0.1
Android Android 7.0 7.0
Android Android 7.1.1 7.1.1 
Android Android 8.0.0 8.0.0
iOS iOS 10.2.1 10.2.1

etc

Am I doing something I should'nt???

0 Karma
1 Solution

dbcase
Motivator

yep there are dups

os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0

I'll get with support as they setup the extraction.... Thank you!!!

View solution in original post

0 Karma

dbcase
Motivator

yep there are dups

os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0

I'll get with support as they setup the extraction.... Thank you!!!

0 Karma

somesoni2
Revered Legend

Run this and see if you still see duplicate values .

 index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | table os osversion

If you do, it seems there are multiple field extraction being setup (may be you used INDEXED_EXTRACTION and KV_MODE to json in props.conf of both indexer/search head).

dbcase
Motivator

I also "fixed" (well that is generous.... I kinda hacked at it) the problem by doing this

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|rex field=oo "(Android|iOS)\s(?<ooo>\w+\s[^\s]+)"|stats count by ooo
0 Karma

somesoni2
Revered Legend

Works. Another method:

index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | eval os=mvdedup(os) | eval osversion=mvdedup(osversion) |strcat os " " osversion oo|stats count by ooo

You can also use mvindex(<<FIELDNAME>>,-1) instead of mvdedup.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...