Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to find duplicate values inside a single field?

v610469
New Member
‎12-22-2015 07:20 AM

For data from DNS that looks like these examples:
www.abc.com.www.bca.com
www.abc.net.www.bca.net

How can I report that .com or .net appears more than once in the field? I would stat this an push it into a count by client after finding the values that match.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-22-2015 10:19 AM

if you have a single value per field, you can create a new field and trim the domain using a regex.

    __mysearch>__ | rex field=mydomainfield "(?<start_domain>.*)(?<end_domain>\.\w+)$" | table mydomainfield start_domain end_domain

the do add a

      | stats count by start_domain

if you have mutlivalue per field, you have to start by splitting your field.
see this article
http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Parsemultivaluefields

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎12-23-2015 04:59 PM

try this 

| rex field=domain max_match=10 "(?<top_level_domain>\b(?:com|net|edu|org)\b)" | stats count by domain top_level_domain | where count > 1
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-22-2015 10:19 AM

if you have a single value per field, you can create a new field and trim the domain using a regex.

    __mysearch>__ | rex field=mydomainfield "(?<start_domain>.*)(?<end_domain>\.\w+)$" | table mydomainfield start_domain end_domain

the do add a

      | stats count by start_domain

if you have mutlivalue per field, you have to start by splitting your field.
see this article
http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Parsemultivaluefields

0 Karma
Reply
Solved! Jump to solution

v610469
New Member
‎12-24-2015 08:20 AM

Yes will be multivalued field. Where we want to report clients who for some reason append additional domains in a DNS query, which will fail except in rare cases.

I did get around this by using .net. OR .com. the trailing dot picks up there is more to the domain.

Paula

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...