Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get unique values of different types of events without duplicates?

bollam
Path Finder
‎12-05-2018 11:37 PM

Hello,

I have got events with two different types: Type=First and type=Second

I would like to get the consolidated(with unique tags) from both the types based on the following conditions.

If both types have a values of tag, then on priority, it should consider value of tag from the type=First and ignore the tag value from type=Second, even if it has value or not.

ii) If tag has no value — i.e., "" in type=First and tag of type=Second has the value — then it considers the value from type=Second for the same id of type=First.

iii) if both the types have no value in tag, then we can ignore this.

Note: the values of id_first and id_second has same values but the naming convention is different.

    time=1544071583425 type="First" version="2.0.5" status="OK"  id_first="210468"  user="abc" tag="some"
    time=1544071583425 type="First" version="2.0.5" status="OK"  id_first="210469"  user="xyz" tag=""
    time=1544071583424 type="First" version="2.0.5" status="OK"  id_first="210470"  user="wow" tag=""
    time=1544071583424 type="First" version="2.0.5" status="OK"  id_first="210483"  user="rez" 
    time=1544071583424 type="First" version="2.0.5" status="OK"  id_first="210487"  user="yov" tag="wrong"
    time=1544071583424 type="First" version="2.0.5" status="OK"  id_first="210491"  user="boh" tag=""


time=1544071583425 type="Second" version="2.0.5" status="OK"  id_second="210468"  user="abc" tag="some"
time=1544071583425 type="Second" version="2.0.5" status="OK"  id_second="210469"  user="xyz" tag="where"
time=1544071583424 type="Second" version="2.0.5" status="OK"  id_second="210470"  user="wow" tag="fishy
time=1544071583424 type="Second" version="2.0.5" status="OK"  id_second="210483"  user="rez" 
time=1544071583424 type="Second" version="2.0.5" status="OK"  id_second="210487"  user="yov" tag="wrong"
time=1544071583424 type="Second" version="2.0.5" status="OK"  id_second="210491"  user="boh" tag="great"

output:

tag              id
some         210469
where       210469
fishy       210470
wrong       210483
great       210487
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-06-2018 03:05 AM

@bollam,

According to your description, there is a mismatch in your output. For e.g. 210468 should have tag as some and 210491 should have great.
Based on this assumption , try this

"your search"
|eval ID=coalesce(id_first,id_second)
|stats values(eval(if(type="First",tag,null()))) as _tag1,values(eval(if(type="Second",tag,null()))) as _tag2 by ID
|eval tag=if(_tag1!="",_tag1,_tag2)
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-06-2018 03:05 AM

@bollam,

According to your description, there is a mismatch in your output. For e.g. 210468 should have tag as some and 210491 should have great.
Based on this assumption , try this

"your search"
|eval ID=coalesce(id_first,id_second)
|stats values(eval(if(type="First",tag,null()))) as _tag1,values(eval(if(type="Second",tag,null()))) as _tag2 by ID
|eval tag=if(_tag1!="",_tag1,_tag2)
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

bollam
Path Finder
‎12-06-2018 08:32 AM

@renjith, No, value of 210491 does not have in tag in the type=First but for id_second=210491 has the value in tag for type=Second. In this case tag should be considered as great since it's not present in the type=First.

When the ran the query you provided, I'm not getting the values of tags but it's just displaying values as okay to all the events of tag.

index=sai_core sourcetype=firstsecond_log
| eval ID=coalesce(id_first,id_second)
| stats values(eval(if(type="First",tag,null()))) as _tag1,values(eval(if(type="Second",tag,null()))) as _tag2 by ID
| eval tag=if(_tag1!="", _tag1, _tag2)

I do not understand where is the value "okay" is coming. There is no word "okay" exists in the event.
How can I view the values of _tag1 and _tag2?

ID tag
210468 okay
210469 okay
210470 okay
210483 okay
210487 okay
210491 okay

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-06-2018 10:20 AM

@bollam,
Thats strange, can you try this and verify the values of of tag1 and tag2? If this is fine, then remove tag1 & tag2 by using |fields - tag1,tag2

index=sai_core sourcetype=firstsecond_log 
| eval ID=coalesce(id_first,id_second) 
| stats values(eval(if(type="First",tag,null()))) as tag1,values(eval(if(type="Second",tag,null()))) as tag2 by ID
| eval tag=if(tag1!="", tag1, tag2)
Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...