Solved: Re: Grouping by two fields the rest fields are mis...

Kubousky · ‎02-09-2022

I try to group by 2 fields: policy_id and client_rol but "| stats values(*) by policy_id client_rol " then the rest of fields´ values are missing.

Having following table ...

policy_id client_rol client_id client_city

001	TO	X0001	LONDON
001	AS	X0001
001	TO	X0001	LONDON
001	AS	X0001

The result I would like to get is:

policy_id client_rol client_id client_city

001	TO	X0001	LONDON
001	AS	X0001

any clue guys?

gcusello · ‎02-09-2022

Hi @Kubousky,

could you share the full search?

maybe the problem is before stats command, because using "| stats values(*) by policy_id client_rol", you should have all the fields.

only for precision, use:

| stats values(*) AS * BY policy_id client_rol

Ciao.

Giuseppe

View solution in original post

gcusello · ‎02-09-2022

Hi @Kubousky,

could you share the full search?

maybe the problem is before stats command, because using "| stats values(*) by policy_id client_rol", you should have all the fields.

only for precision, use:

| stats values(*) AS * BY policy_id client_rol

Ciao.

Giuseppe

Kubousky · ‎02-09-2022

that was it. thank u @gcusello

gcusello · ‎02-09-2022

Hi @Kubousky,

good for you, see next time!
Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Grouping by two fields the rest fields are missing

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?