Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does stats values command combine unique values?

LearningGuy
Motivator
‎10-29-2023 07:25 PM

Hello,
Does stats values command combine unique values?
For example:

companyip
companyA
companyA		1.1.1.1
companyB
companyB
companyB		1.1.1.2



index=regular_index 
| stats values(company) by ip
| table company, ip

Should the command above produce the following output?

companyip
companyA1.1.1.1
companyB1.1.1.2


Thank you so much

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-30-2023 07:52 AM

Hi @LearningGuy ,

sorry "it runs"

I meant that I cannot test your search because if I take the values from your page it runs

gcusello_0-1698677509778.png

You have to try to use nomv and mvexpand.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-30-2023 12:11 AM

Hi @LearningGuy ,

yes your search give you a list of distinct values by ip:

index=regular_index 
| stats values(company) AS company BY ip
| table company ip

but if you don't use "AS company" you don't have this field in the following table command.

Is this your question or do you have other doubt?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-30-2023 06:32 AM

Hi @gcusello 

Yes, this answered my question, but I have other doubt.
Values command does not work if the data got merged into one row after "summary index". 
Please see below example and picture. Please suggest. Thanks

companyip
companyA companyA1.1.1.1
companyB companyB companyB1.1.1.2



summary_index2.jpg

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-30-2023 07:51 AM

You're again digging into the issue we're tackling in this thread:

https://community.splunk.com/t5/Reporting/summary-index-merges-multiple-line-values-into-one-row/m-p...

Due to how multivalued fields are "flattened" when collected to a stash sourcetype, your summarized events really do have the values of "companyA companyA" and "companyB companyB companyB".

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-30-2023 06:40 AM

Hi @LearningGuy ,

to have all the values in the same row, you have to add the nomv command (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Nomv) after the stats command:

index=regular_index 
| stats values(company) AS company BY ip
| nomv company
| table company ip

 Ciao.

Giuseppe

Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-30-2023 06:58 AM

Hi @gcusello ,

Sorry if I wasn't clear.   
If you refer to the drawing I posted previously.
The issue is actually the opposite.   After I moved the **commands/searches** into summary index, the data was merged into one row, so the values command did not give me unique values 
I expected to get "companyA", but it gave me "companyA companyA" because of the Carriage Return ("\n")

Values command did not work

companyip
companyA companyA1.1.1.1
companyB companyB companyB1.1.1.2



values command worked

companyip
companyA
companyA		1.1.1.1
companyB
companyB
companyB		1.1.1.2


I also have a different post specifically discussed about why summary index caused this merge behavious
https://community.splunk.com/t5/Reporting/summary-index-merges-multiple-line-values-into-one-row/m-p...
1) Why values command does not work if the data gets merged into one line?
2) Why does summary index cause merging into one row in the first place?

Thank you so much for your help


0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-30-2023 07:18 AM

Hi @LearningGuy ,

you should try to use mvexpand and nomv commands.
I cannot test because iy runs using values from a text page.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LearningGuy
Motivator
‎10-30-2023 07:42 AM

Hi @gcusello ,

What do you mean by "iy runs using values from a text page"?

So, values won't work if "\" gets merged into one line and I should use mvexpand to fix this?

Any idea on the root cause why it happened after summary index?

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-30-2023 07:52 AM

Hi @LearningGuy ,

sorry "it runs"

I meant that I cannot test your search because if I take the values from your page it runs

gcusello_0-1698677509778.png

You have to try to use nomv and mvexpand.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-29-2023 08:34 PM

The answer is revealed in documentation of values.  Use the "AS" modifier.  If you know that each IP only corresponds to one company, the following will do the trick:

index=regular_index 
| stats values(company) as company by ip
| table company, ip
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...