Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find duplicate values inside a single field?

v610469
New Member
‎12-22-2015 07:20 AM

For data from DNS that looks like these examples:
www.abc.com.www.bca.com
www.abc.net.www.bca.net

How can I report that .com or .net appears more than once in the field? I would stat this an push it into a count by client after finding the values that match.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-22-2015 10:19 AM

if you have a single value per field, you can create a new field and trim the domain using a regex.

    __mysearch>__ | rex field=mydomainfield "(?<start_domain>.*)(?<end_domain>\.\w+)$" | table mydomainfield start_domain end_domain

the do add a

      | stats count by start_domain

if you have mutlivalue per field, you have to start by splitting your field.
see this article
http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Parsemultivaluefields

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎12-23-2015 04:59 PM

try this 

| rex field=domain max_match=10 "(?<top_level_domain>\b(?:com|net|edu|org)\b)" | stats count by domain top_level_domain | where count > 1
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-22-2015 10:19 AM

if you have a single value per field, you can create a new field and trim the domain using a regex.

    __mysearch>__ | rex field=mydomainfield "(?<start_domain>.*)(?<end_domain>\.\w+)$" | table mydomainfield start_domain end_domain

the do add a

      | stats count by start_domain

if you have mutlivalue per field, you have to start by splitting your field.
see this article
http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Parsemultivaluefields

0 Karma
Reply
Solved! Jump to solution

v610469
New Member
‎12-24-2015 08:20 AM

Yes will be multivalued field. Where we want to report clients who for some reason append additional domains in a DNS query, which will fail except in rare cases.

I did get around this by using .net. OR .com. the trailing dot picks up there is more to the domain.

Paula

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
li.common.scroll-to.top