Knowledge Management

String concatentation (strcat command) is duplicating results

dbcase
Motivator

Hi,

I have this data

Properties: {   [-] 
         analyticsConfigs:  {   [+] 
        }   
         appVersion:     9.0.0  
         buildTarget:    blah   
         category:   Event  
         networkStatus: {   [-] 
         NT:     3  
        }   
         osName:     iOS    
         platformData:  {   [-] 
         BL:     1  
         BP:     87 
         FF:     1  
         HC:     Apple  
         HM:     iPhone7,2  
         HS:     3oiH88BN7fhGnT45o4s3NVO2rhbUBkTU8J74xBdGuJUMYytJqZQg9c1R_hIObb5wc1CKyNDXepajsVXA   
         LL:     en 
         LO:     US 
         OJ:     10.3.3 
         OS:     1  
         SA:     49953583104    
         ST:     63989493760    
         SU:     14035910656    
         UI:     17812487-32B5-4544-93F8-A3031EB2B0A6   
        }   
    }   
     analyticType:   SessionStart   
     buildTarget:    blah   
     clientSessionId:    DXFOS-CARQDTE  

and this query

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|stats count by oo

the query "works" but it appears that strcat is duplicating values because the results look like this

Android Android 6.0.1 6.0.1
Android Android 7.0 7.0
Android Android 7.1.1 7.1.1 
Android Android 8.0.0 8.0.0
iOS iOS 10.2.1 10.2.1

etc

Am I doing something I should'nt???

0 Karma
1 Solution

dbcase
Motivator

yep there are dups

os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0

I'll get with support as they setup the extraction.... Thank you!!!

View solution in original post

0 Karma

dbcase
Motivator

yep there are dups

os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0

I'll get with support as they setup the extraction.... Thank you!!!

0 Karma

somesoni2
Revered Legend

Run this and see if you still see duplicate values .

 index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | table os osversion

If you do, it seems there are multiple field extraction being setup (may be you used INDEXED_EXTRACTION and KV_MODE to json in props.conf of both indexer/search head).

dbcase
Motivator

I also "fixed" (well that is generous.... I kinda hacked at it) the problem by doing this

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|rex field=oo "(Android|iOS)\s(?<ooo>\w+\s[^\s]+)"|stats count by ooo
0 Karma

somesoni2
Revered Legend

Works. Another method:

index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | eval os=mvdedup(os) | eval osversion=mvdedup(osversion) |strcat os " " osversion oo|stats count by ooo

You can also use mvindex(<<FIELDNAME>>,-1) instead of mvdedup.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...