Team,
Can you please help me with the splunk query for the below?
Thank you
Splunk query returns the below
1 1 1 2 2 2 3 1 1 3 1
How do I get the below( unique within each group)?
1 2 3 1
index=*
| table sourcetype
| streamstats current=f window=2 last(sourcetype) as previous_sourcetype
| where sourcetype != previous_sourcetype
How did you get this result?
Why is 1 still repeated in your required result?
Since I wanted to know the flow of data from one sourcetype to another sourcetype. Apparently, in my case, the data after existing a sourcetype can re enter the sourcetype at a later point of time.
Thank you
Hi @msg4sunil
use
values(fieldname1) by fieldname2
Can you please clarify as how do I use
values(fieldname1) by fieldname2?
index=*|table sourcetype|dedup sourcetype
Sorry, I cant be using dedup, since that doesn't solve my purpose.
index=*
| table sourcetype
| streamstats current=f window=2 last(sourcetype) as previous_sourcetype
| where sourcetype != previous_sourcetype
Wow. Amazing. Thanks a lot!