Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Dedup and multivalued fields

jamesdon
Path Finder
‎03-08-2011 08:33 PM

Hello,

I am extracting a few user names from a multiple line log, using MV_ADD=true in transforms.conf and KV_MODE = multi in transforms. The search results look great, and are what I am expecting; a single event per user found.

However, when I attempt to dedup the users, I run into problems. The user names are no longer individual events, but are consolidated into the original event. For instance, lets pretend that these are the three logs that I am searching:

Username: rabbit
Username: snail


Username: rabbit
Username: turtle


Username: rabbit

When I attempt to dedup the user name, I get:

rabbit, snail
rabbit, turtle
rabbit

I am expecting:

rabbit
snail
turtle

I thought that the problem would be resolved by using "multi: invokes multikv to expand a tabular event into multiple events" in props, but it does not.

Any ideas? I could always pre-process the data, but I was hoping to do it all in Splunk.

Thank you,

Jim

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-08-2011 10:56 PM

You have a couple choices here:

  1. Use ... | mvexpand username to break each event into a distinct event per username, duplicating the message, followed by the dedup to find the most recent per username.
  2. Use ... | stats count by username | fields username to just aggregate the list of username values.

The first is better if you want to see the original messages, but is less efficient than the second, which is better for just finding the user list.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-08-2011 10:56 PM

You have a couple choices here:

  1. Use ... | mvexpand username to break each event into a distinct event per username, duplicating the message, followed by the dedup to find the most recent per username.
  2. Use ... | stats count by username | fields username to just aggregate the list of username values.

The first is better if you want to see the original messages, but is less efficient than the second, which is better for just finding the user list.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...