Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display one to one mapping between fields in stats command

neerajs_81
Builder
3 weeks ago

Hi there,  how can i use stats command to one to one mapping between fields .  I have tried "list" function and "values" function both but results are not expected.
Example: we are consolidating data from 2 indexes and both indexes have same fields of interests ( user, src_ip) 
Base query:

 

index=okta or index=network
| iplocation (src_ip)
|stats values(src_ip) values(deviceName) values(City) values(Country) by user, index

 



Results:
We get something like this

userindexsrc_ipDeviceNameCountry
John_smithokta10.0.0.1
192.178.2.24		laptop01USA
John_smithnetwork198.20.0.14
64.214.71.89
64.214.71.90
71.29.100.90		laptop01
laptop02
server01
My-CloudPC		USA
     


Expected results:
How to map which src_ip is coming from which Devicename?  We want to align the Devicename  in same sequence as per the src_ip ?

If i use list instead of values in my stats,  it shows duplicates like this for src_ip and deviceName. Even doing a |dedup src_ip is not helping 

neerajs_81_0-1741004055398.png

 



Hope clear.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

The values and list functions display results in lexicographic order and destroy any potential relationship among the fields.  One solution is use mvzip to combine fields, group the results, then unzip the fields.

index=okta or index=network
| iplocation (src_ip)
| eval tuple = mvzip(src_ip, mvzip(deviceName, mvzip(City, Country)))
| stats values(tuple) by user, index
| eval fields = split(tuple, ",")
| eval src_ip = mvindex(fields, 0), deviceName=mvindex(fields,1), City=mvindex(fields, 2), Country=mvindex(fields,3)

A better approach might be to perform the iplocation command after stats.

index=okta or index=network
| stats values(src_ip) as src_ip by user, index
| mvexpand src_ip
| iplocation (src_ip)

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
2 weeks ago

The values and list functions display results in lexicographic order and destroy any potential relationship among the fields.  One solution is use mvzip to combine fields, group the results, then unzip the fields.

index=okta or index=network
| iplocation (src_ip)
| eval tuple = mvzip(src_ip, mvzip(deviceName, mvzip(City, Country)))
| stats values(tuple) by user, index
| eval fields = split(tuple, ",")
| eval src_ip = mvindex(fields, 0), deviceName=mvindex(fields,1), City=mvindex(fields, 2), Country=mvindex(fields,3)

A better approach might be to perform the iplocation command after stats.

index=okta or index=network
| stats values(src_ip) as src_ip by user, index
| mvexpand src_ip
| iplocation (src_ip)

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top