Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine unique values of the field into one?

srizan
Path Finder
‎08-16-2018 08:44 AM

I am trying to make a report with the unique combination of ID, AVER SRV & ZONE. However, since I am getting lots of duplicate values because I have multiple values for ZONE, is there anyway I can combine all the ZONE in one field so I won't have lots of duplication.

Currently I am using following query:

| dedup ID AVER SRV ZONE | fields + ID, SRV, ZONE

Now if the Zone has multiple values, I am getting multiple entries instead I am trying to have one entry with all the different zones combined.

Please advise.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 10:02 AM

@srizan, try the following:

<yourCurrentSearch>
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")

Following is a run anywhere example based on sample data provided. The query from | makeresults till | table generates dummy data as per the first table provided in comment.

| makeresults 
| eval data="123 1 2 01;123 1 2 02;123 1 2 03" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval ID=mvindex(data,0),AVER=mvindex(data,1),SRV=mvindex(data,2),ZONE=mvindex(data,3)
| table ID AVER SRV ZONE
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎08-16-2018 10:02 AM

@srizan, try the following:

<yourCurrentSearch>
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")

Following is a run anywhere example based on sample data provided. The query from | makeresults till | table generates dummy data as per the first table provided in comment.

| makeresults 
| eval data="123 1 2 01;123 1 2 02;123 1 2 03" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval ID=mvindex(data,0),AVER=mvindex(data,1),SRV=mvindex(data,2),ZONE=mvindex(data,3)
| table ID AVER SRV ZONE
| stats values(ZONE) as ZONE by ID AVER SRV
| nomv ZONE
| eval ZONE=replace(ZONE,"\s",",")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

srizan
Path Finder
‎08-16-2018 10:07 AM

That worked like a charm, Thank you @niketnilay

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎08-16-2018 09:17 AM

@srizan

... | stats values(*) as * by ID or whatever it is you want to group lines by

@marycordova
0 Karma
Reply
Solved! Jump to solution

srizan
Path Finder
‎08-16-2018 09:38 AM

@marycordovacaa I apoligize for not being clear,
I have various values for ZONE and dedup for
ID | AVER | SRV | ZONE
123 1 2 01
123 1 2 02
123 1 2 03

I want it to have it something like this
ID | AVER | SRV | ZONE
123 1 2 01,02,03

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...