Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to remove duplicates from a table?

dsiob
Communicator
‎05-15-2017 06:58 AM

hi, I am using table which shows up duplicates, shown below. Here some track has multiple status (eg: Yellow and Red). In this case, row having 'Yellow' status for that track should appear.

Tags (3)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-16-2017 04:48 AM

Try setting a priority field and using the same to get desired results -

<your search>  | eval priority=case(Status=="GREEN", 1, Status=="Yellow", 2, Status=="Red", 3) | stats min(priority) as priority by Track_Name | eval Status=case(priority==1, "GREEN", priority==2,"Yellow", priority==3,"Red") | table Track_Name Status

View solution in original post

Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-16-2017 04:48 AM

Try setting a priority field and using the same to get desired results -

<your search>  | eval priority=case(Status=="GREEN", 1, Status=="Yellow", 2, Status=="Red", 3) | stats min(priority) as priority by Track_Name | eval Status=case(priority==1, "GREEN", priority==2,"Yellow", priority==3,"Red") | table Track_Name Status
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-15-2017 08:14 AM

What is the reasoning behind showing the row with "Yellow". Is this the latest status?

If so, you could try:

[YOUR CURRENT SEARCH]
| sort -Status
| dedup Track_Name
0 Karma
Reply
Solved! Jump to solution

dsiob
Communicator
‎05-15-2017 08:18 PM

Red and Yellow represents Priority level. I have to pick least priority that is Yellow.

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-15-2017 08:07 AM

Hello,

Generally you can filter out results in your search query as per the following:

Status!=Red

Regards

Reply
Solved! Jump to solution

dsiob
Communicator
‎05-15-2017 08:22 PM

Red and Yellow shows the priority level. So if there is multiple priority for one track, row with least priority (Yellow) should be selected.
If any track having only single status (Red or Yellow), it should show as it is.

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-16-2017 03:15 AM

Thanks for the clarification.

Then you need to use transaction command to create one big event that contains all the statuses for single track.

Now Status filed became multivalue filed as it may contains Red and Yellow at the same time, then we count the values with Status_count=mvcount(Status).

Finally we use case statements to determine the count of status, if it equals 2, then Status will be Yellow if not it will have the original value.

The complete query:

Search query | transaction Track_Name | eval Status_count=mvcount(Status) | eval Status=case(Status_count == 2, "Yellow", Status_count ==1 , Status)  | table Track_Name, Status

Hope this helps.

Regards

0 Karma
Reply
Solved! Jump to solution

dsiob
Communicator
‎05-16-2017 06:28 AM

thanks a lot for your working solution!!

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-16-2017 06:44 AM

It is my pleasure !

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...