Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine unique values of the field into one?

srizan
Path Finder
‎08-16-2018 08:44 AM

I am trying to make a report with the unique combination of ID, AVER SRV & ZONE. However, since I am getting lots of duplicate values because I have multiple values for ZONE, is there anyway I can combine all the ZONE in one field so I won't have lots of duplication.

Currently I am using following query:

| dedup ID AVER SRV ZONE | fields + ID, SRV, ZONE

Now if the Zone has multiple values, I am getting multiple entries instead I am trying to have one entry with all the different zones combined.

Please advise.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 10:02 AM

@srizan, try the following:

<yourCurrentSearch>
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")

Following is a run anywhere example based on sample data provided. The query from | makeresults till | table generates dummy data as per the first table provided in comment.

| makeresults 
| eval data="123 1 2 01;123 1 2 02;123 1 2 03" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval ID=mvindex(data,0),AVER=mvindex(data,1),SRV=mvindex(data,2),ZONE=mvindex(data,3)
| table ID AVER SRV ZONE
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 10:02 AM

@srizan, try the following:

<yourCurrentSearch>
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")

Following is a run anywhere example based on sample data provided. The query from | makeresults till | table generates dummy data as per the first table provided in comment.

| makeresults 
| eval data="123 1 2 01;123 1 2 02;123 1 2 03" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval ID=mvindex(data,0),AVER=mvindex(data,1),SRV=mvindex(data,2),ZONE=mvindex(data,3)
| table ID AVER SRV ZONE
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

srizan
Path Finder
‎08-16-2018 10:07 AM

That worked like a charm, Thank you @niketnilay

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎08-16-2018 09:17 AM

@srizan

... | stats values(*) as * by ID or whatever it is you want to group lines by

@marycordova
0 Karma
Reply
Solved! Jump to solution

srizan
Path Finder
‎08-16-2018 09:38 AM

@marycordovacaa I apoligize for not being clear,
I have various values for ZONE and dedup for
ID | AVER | SRV | ZONE
123 1 2 01
123 1 2 02
123 1 2 03

I want it to have it something like this
ID | AVER | SRV | ZONE
123 1 2 01,02,03

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top