Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine unique values of the field into one?

srizan
Path Finder
‎08-16-2018 08:44 AM

I am trying to make a report with the unique combination of ID, AVER SRV & ZONE. However, since I am getting lots of duplicate values because I have multiple values for ZONE, is there anyway I can combine all the ZONE in one field so I won't have lots of duplication.

Currently I am using following query:

| dedup ID AVER SRV ZONE | fields + ID, SRV, ZONE

Now if the Zone has multiple values, I am getting multiple entries instead I am trying to have one entry with all the different zones combined.

Please advise.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 10:02 AM

@srizan, try the following:

<yourCurrentSearch>
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")

Following is a run anywhere example based on sample data provided. The query from | makeresults till | table generates dummy data as per the first table provided in comment.

| makeresults 
| eval data="123 1 2 01;123 1 2 02;123 1 2 03" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval ID=mvindex(data,0),AVER=mvindex(data,1),SRV=mvindex(data,2),ZONE=mvindex(data,3)
| table ID AVER SRV ZONE
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 10:02 AM

@srizan, try the following:

<yourCurrentSearch>
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")

Following is a run anywhere example based on sample data provided. The query from | makeresults till | table generates dummy data as per the first table provided in comment.

| makeresults 
| eval data="123 1 2 01;123 1 2 02;123 1 2 03" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval ID=mvindex(data,0),AVER=mvindex(data,1),SRV=mvindex(data,2),ZONE=mvindex(data,3)
| table ID AVER SRV ZONE
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

srizan
Path Finder
‎08-16-2018 10:07 AM

That worked like a charm, Thank you @niketnilay

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎08-16-2018 09:17 AM

@srizan

... | stats values(*) as * by ID or whatever it is you want to group lines by

@marycordova
0 Karma
Reply
Solved! Jump to solution

srizan
Path Finder
‎08-16-2018 09:38 AM

@marycordovacaa I apoligize for not being clear,
I have various values for ZONE and dedup for
ID | AVER | SRV | ZONE
123 1 2 01
123 1 2 02
123 1 2 03

I want it to have it something like this
ID | AVER | SRV | ZONE
123 1 2 01,02,03

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top