Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to remove duplicates from a table?

dsiob
Communicator
‎05-15-2017 06:58 AM

hi, I am using table which shows up duplicates, shown below. Here some track has multiple status (eg: Yellow and Red). In this case, row having 'Yellow' status for that track should appear.

Tags (3)
expected.jpg
Preview file
20 KB
question-splunk.jpg
Preview file
28 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-16-2017 04:48 AM

Try setting a priority field and using the same to get desired results -

<your search>  | eval priority=case(Status=="GREEN", 1, Status=="Yellow", 2, Status=="Red", 3) | stats min(priority) as priority by Track_Name | eval Status=case(priority==1, "GREEN", priority==2,"Yellow", priority==3,"Red") | table Track_Name Status

View solution in original post

Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-16-2017 04:48 AM

Try setting a priority field and using the same to get desired results -

<your search>  | eval priority=case(Status=="GREEN", 1, Status=="Yellow", 2, Status=="Red", 3) | stats min(priority) as priority by Track_Name | eval Status=case(priority==1, "GREEN", priority==2,"Yellow", priority==3,"Red") | table Track_Name Status
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-15-2017 08:14 AM

What is the reasoning behind showing the row with "Yellow". Is this the latest status?

If so, you could try:

[YOUR CURRENT SEARCH]
| sort -Status
| dedup Track_Name
0 Karma
Reply
Solved! Jump to solution

dsiob
Communicator
‎05-15-2017 08:18 PM

Red and Yellow represents Priority level. I have to pick least priority that is Yellow.

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-15-2017 08:07 AM

Hello,

Generally you can filter out results in your search query as per the following:

Status!=Red

Regards

Reply
Solved! Jump to solution

dsiob
Communicator
‎05-15-2017 08:22 PM

Red and Yellow shows the priority level. So if there is multiple priority for one track, row with least priority (Yellow) should be selected.
If any track having only single status (Red or Yellow), it should show as it is.

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-16-2017 03:15 AM

Thanks for the clarification.

Then you need to use transaction command to create one big event that contains all the statuses for single track.

Now Status filed became multivalue filed as it may contains Red and Yellow at the same time, then we count the values with Status_count=mvcount(Status).

Finally we use case statements to determine the count of status, if it equals 2, then Status will be Yellow if not it will have the original value.

The complete query:

Search query | transaction Track_Name | eval Status_count=mvcount(Status) | eval Status=case(Status_count == 2, "Yellow", Status_count ==1 , Status)  | table Track_Name, Status

Hope this helps.

Regards

0 Karma
Reply
Solved! Jump to solution

dsiob
Communicator
‎05-16-2017 06:28 AM

thanks a lot for your working solution!!

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-16-2017 06:44 AM

It is my pleasure !

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top