Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get distinct values for a derived field in a search?

wwhitener
Communicator
‎01-18-2012 11:09 AM

Good afternoon all,

I have a datasource that I've used transforms.conf and props.conf to create a "field" derived from a comma-delimited portion of each event. How do I get a list of the distinct values?

For example, if I have three events:

[A, B, C, D]

[D, E, F, G]

[A, G, C, Z]

How do I get a resultset that gives me "A", "B", "C", "D", "E", "F", "G", "Z" and no counts or any other information?

I already have the transforms.conf and props.conf pulling out the values for the "tags", but not a way to say "Here are all of the values for that field". In SQL, I'd use "SELECT DISTINCT TEXT FROM MYTAGS...", but I don't know about the Splunk query values.

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎01-18-2012 01:03 PM

http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

values(X)   This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical.

So if the values in your example are extracted as a multi-valued field called, say, "foo", you would do something like:

... | stats values(foo)

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎01-18-2012 01:03 PM

http://docs.splunk.com/Documentation/Splunk/4.2.2/SearchReference/CommonStatsFunctions

values(X)   This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical.

So if the values in your example are extracted as a multi-valued field called, say, "foo", you would do something like:

... | stats values(foo)
Reply
Solved! Jump to solution

wwhitener
Communicator
‎01-18-2012 01:06 PM

I guess I went the wrong way around it then.
source="mysource.log" | stats count by myfield | fields myfield
It was to populate a form dropdown, so ultimately even the "fields" functions is not really needed for what I wanted.
Thanks for the answer! I'll try it your way too.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...