Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get distinct values for a derived field in a search?

wwhitener
Communicator
‎01-18-2012 11:09 AM

Good afternoon all,

I have a datasource that I've used transforms.conf and props.conf to create a "field" derived from a comma-delimited portion of each event. How do I get a list of the distinct values?

For example, if I have three events:

[A, B, C, D]

[D, E, F, G]

[A, G, C, Z]

How do I get a resultset that gives me "A", "B", "C", "D", "E", "F", "G", "Z" and no counts or any other information?

I already have the transforms.conf and props.conf pulling out the values for the "tags", but not a way to say "Here are all of the values for that field". In SQL, I'd use "SELECT DISTINCT TEXT FROM MYTAGS...", but I don't know about the Splunk query values.

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎01-18-2012 01:03 PM

http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

values(X)   This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical.

So if the values in your example are extracted as a multi-valued field called, say, "foo", you would do something like:

... | stats values(foo)

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎01-18-2012 01:03 PM

http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

values(X)   This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical.

So if the values in your example are extracted as a multi-valued field called, say, "foo", you would do something like:

... | stats values(foo)
Reply
Solved! Jump to solution

wwhitener
Communicator
‎01-18-2012 01:06 PM

I guess I went the wrong way around it then.
source="mysource.log" | stats count by myfield | fields myfield
It was to populate a form dropdown, so ultimately even the "fields" functions is not really needed for what I wanted.
Thanks for the answer! I'll try it your way too.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...