Splunk Search

How to edit my search to prevent getting duplicate results with mvexpand?

smudge797
Path Finder

I have a set of ticket data and trying to match the words with the description to track issues. My current search is getting duplicates and I'm wondering if this is the best approach anyway.

Current search:

index=myindex sourcetype=blah | makemv delim="##Survey##" description | eval description=mvindex(description,0) | makemv description | mvexpand description | search description [ | inputlookup TicketWords.csv | rename Words as description ] | eval description=lower(description)  | top 50 description 

TicketWords.csv = 34 entries under Words
 
Search would match “phone”, but also iphone and causes duplicates. Here is a sample event:

"2016-10-31 08:16:04" incidentId="16245821", active="1", createBy="x213163", fullname="Smith, John", createDate="2016-10-31 12:14:35.817", description="I just migrated to phone and have 2 x 24" monitors.  Both display the same output. Can't change to have two independent monitors.
##Survey##
Please choose the option which best describes your problem.: MONITOR CONFIGURATION ON DESKTOP OR LAPTOP - Do you need assistance setting up multiple monitors on your corporate laptop or desktop?: yes - Your ticket has been identified as an issue that can be resolved with the assistance of the Hub website. Among other features, this site will show you How-To Setup Dual Monitors on a Desktop or Laptop. https://hub.my.net/HowTo/HowToLandingPage?helparticle=6441:  - Did the above solution resolve your issue?: no - Please select an option: I tried applying the solution but it did not fix my issue", groupId="5191", groupName="Blah NA TTT Desktop Enterprise"
0 Karma

Flynt
Splunk Employee
Splunk Employee

It should match the exact terms.

In your subsearch I see desciption in with your criteria.

index=myindex sourcetype=blah | makemv delim="##Survey##" description | eval description=mvindex(description,0) | makemv description | mvexpand description | search description [ | inputlookup TicketWords.csv | rename Words as description ] | eval description=lower(description)  | top 50 description 

Do you get the same results if you remove that term?

index=myindex sourcetype=blah | makemv delim="##Survey##" description | eval description=mvindex(description,0) | makemv description | mvexpand description | search [ | inputlookup TicketWords.csv | rename Words as description ] | eval description=lower(description)  | top 50 description 
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...