Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I group two fields (multivalued)?

philippbloch
Loves-to-Learn Lots
‎02-14-2019 05:45 AM

Hello,

I have the following table:

User           Group
-------------  -------------
User_A         Group_A
-------------  -------------
User_A         Group_B
-------------  -------------
User_A         Group_C
-------------  -------------
User_B         Group_A
-------------  -------------
User_B         Group_B
-------------  -------------
User_B         Group_C
-------------  -------------
User_C         Group_C
-------------  -------------
User_D         Group_D
-------------  -------------
User_D         Group_E

Which I want to group as follows:

User           Group
-------------  -------------
User_A         Group_A
User_B         Group_B
               Group_C
-------------  -------------
User_C         Group_C
-------------  -------------
User_D         Group_D
               Group_E

I tried:

<my results> | stats values(Group) as Group by User | stats values(User) as User by Group

Any suggestions how to achieve this?

Thanks,
-Philipp

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-14-2019 06:30 AM

Your attempt is close, but you need to apply a little trick to let the second stats work (as the "by Group" won't have the desired effect when Group is a multi valued field). So you first need turn Group into a single valued field, then do the second stats and then split Group out again. Since values() returns a sorted result, this should work and result in the same concatenated strings for users that have the same set of groups.

<my results>
| stats values(Group) as Group by User
| eval Group=mvjoin(Group,"|")
| stats values(User) as User by Group
| eval Group=split(Group,"|")

This has the following intermediate results:

After the first stats and eval:

 User           Group
 -------------  -------------
 User_A         Group_A|Group_B|Group_C
  -------------  -------------
 User_B         Group_A|Group_B|Group_C
 -------------  -------------
 User_C         Group_C
 -------------  -------------
 User_D         Group_D|Group_E

After the second stats:

 User           Group
 -------------  -------------
 User_A         Group_A|Group_B|Group_C
 User_B         
 -------------  -------------
 User_C         Group_C
 -------------  -------------
 User_D         Group_D|Group_E

After the second eval:

 User           Group
 -------------  -------------
 User_A         Group_A
 User_B         Group_B
                Group_C
 -------------  -------------
 User_C         Group_C
 -------------  -------------
 User_D         Group_D
                Group_E

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-14-2019 06:30 AM

Your attempt is close, but you need to apply a little trick to let the second stats work (as the "by Group" won't have the desired effect when Group is a multi valued field). So you first need turn Group into a single valued field, then do the second stats and then split Group out again. Since values() returns a sorted result, this should work and result in the same concatenated strings for users that have the same set of groups.

<my results>
| stats values(Group) as Group by User
| eval Group=mvjoin(Group,"|")
| stats values(User) as User by Group
| eval Group=split(Group,"|")

This has the following intermediate results:

After the first stats and eval:

 User           Group
 -------------  -------------
 User_A         Group_A|Group_B|Group_C
  -------------  -------------
 User_B         Group_A|Group_B|Group_C
 -------------  -------------
 User_C         Group_C
 -------------  -------------
 User_D         Group_D|Group_E

After the second stats:

 User           Group
 -------------  -------------
 User_A         Group_A|Group_B|Group_C
 User_B         
 -------------  -------------
 User_C         Group_C
 -------------  -------------
 User_D         Group_D|Group_E

After the second eval:

 User           Group
 -------------  -------------
 User_A         Group_A
 User_B         Group_B
                Group_C
 -------------  -------------
 User_C         Group_C
 -------------  -------------
 User_D         Group_D
                Group_E
0 Karma
Reply
Solved! Jump to solution

philippbloch
Loves-to-Learn Lots
‎02-14-2019 07:28 AM

I changed the "mvsplit" to "split" in the second eval.

It works perfect that way! Thanks a lot!

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-14-2019 07:36 AM

You're welcome! And indeed, it should be split not mvsplit, my bad. I've corrected that in my answer as well 🙂

0 Karma
Reply
Solved! Jump to solution

saurabhkharkar
Path Finder
‎02-14-2019 06:24 AM 
just | stats values(Group) as Group by User should be enough
0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-14-2019 06:32 AM

No it isn't, as that doesn't group the user field into a multi valued field for users that have the same set of groups.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...