- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: String concatentation (strcat command) is dupl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have this data
Properties: { [-]
analyticsConfigs: { [+]
}
appVersion: 9.0.0
buildTarget: blah
category: Event
networkStatus: { [-]
NT: 3
}
osName: iOS
platformData: { [-]
BL: 1
BP: 87
FF: 1
HC: Apple
HM: iPhone7,2
HS: 3oiH88BN7fhGnT45o4s3NVO2rhbUBkTU8J74xBdGuJUMYytJqZQg9c1R_hIObb5wc1CKyNDXepajsVXA
LL: en
LO: US
OJ: 10.3.3
OS: 1
SA: 49953583104
ST: 63989493760
SU: 14035910656
UI: 17812487-32B5-4544-93F8-A3031EB2B0A6
}
}
analyticType: SessionStart
buildTarget: blah
clientSessionId: DXFOS-CARQDTE
and this query
index=wholesale_app buildTarget=blah analyticType=SessionStart |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|stats count by oo
the query "works" but it appears that strcat is duplicating values because the results look like this
Android Android 6.0.1 6.0.1
Android Android 7.0 7.0
Android Android 7.1.1 7.1.1
Android Android 8.0.0 8.0.0
iOS iOS 10.2.1 10.2.1
etc
Am I doing something I should'nt???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yep there are dups
os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
I'll get with support as they setup the extraction.... Thank you!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yep there are dups
os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
I'll get with support as they setup the extraction.... Thank you!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this and see if you still see duplicate values .
index=wholesale_app buildTarget=blah analyticType=SessionStart |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | table os osversion
If you do, it seems there are multiple field extraction being setup (may be you used INDEXED_EXTRACTION and KV_MODE to json in props.conf of both indexer/search head).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also "fixed" (well that is generous.... I kinda hacked at it) the problem by doing this
index=wholesale_app buildTarget=blah analyticType=SessionStart |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|rex field=oo "(Android|iOS)\s(?<ooo>\w+\s[^\s]+)"|stats count by ooo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works. Another method:
index=wholesale_app buildTarget=blah analyticType=SessionStart |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | eval os=mvdedup(os) | eval osversion=mvdedup(osversion) |strcat os " " osversion oo|stats count by ooo
You can also use mvindex(<<FIELDNAME>>,-1) instead of mvdedup.
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
