How to group same values into one value?

sekhar463 · ‎12-26-2022

Good day,

how to group results of a same filed value into one fileld value

from below table i have a field box-name and in the multiple value of same

how can i group same value into one value as below table for same value in BOX_NAME field how can i keep as one value

i am using search to table the results

index=indexname sourcetype=sourename
| eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| table BOX_NAME,JOB_NAME,JOB_GROUP,REGION,TIMEZONE,STATUS,Currenttime,STATUS_TIME,LAST_START,LAST_END,NEXT_START,DAYS_OF_WEEK,EXCLUDE_CALENDAR,RUNTIME,Actualstarttime,Job_start_by,START_SLA,AVG_RUN_TIME

BOX_NAME JOB_NAME JOB_GROUP REGION TIMEZONE STATUS

PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-60ZIP	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-040INF	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-080DEL	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-010ARC	JAWS	Central	SUCCESS
PNB-JAWS-USCA-ORDER-TCA-INBOUND-DAILY	PNC-JAWS-USCA-ORDER-TCA-INBOUND-025FW	JAWS	Central	SUCCESS

PickleRick · ‎12-27-2022

It's not entirely clear what you mean.

If you want to have a "multirow" cell in your output visualization - kind of "groupping" of the rest of the row data - you can't do that. At least not with any of the built-in visualizations.

sekhar463 · ‎12-27-2022

hi Thanks for the search

i am getting expected results

but for somevalues are missing it was showing only Unique values for any field

for example for RUNTIME field it will show 10 values for 10 JOB_NAME field

but not showing for all of them like below is the out put values but showing only few

0
2
0
2
33
33
33
33
33
33
34
34
34
33
34
35
34
32
34
34
35
34
33
34
33
33
34
33
34
33
34
33
33
34
184
34
33
184
34
34
64
814
94
5
33
33
33
34
34
34
1053
33

gcusello · ‎12-27-2022

Hi @sekhar463,

if you don't want unique values but the list of values, you have to replace the values option with the list option, as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions

Ciao.

Giuseppe

gcusello · ‎12-26-2022

Hi @sekhar463,

I'm not sure to have understood your need, you could dedup using one field or use stats:

index=indexname sourcetype=sourename
| eval Actualstarttime=strftime(strptime(NEXT_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval Job_start_by=strftime(strptime(LAST_START,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| stats  
   values(JOB_NAME) AS JOB_NAME
   values(JOB_GROUP) AS JOB_GROUP
   values(REGION) AS REGION
   values(TIMEZONE) AS TIMEZONE
   values(STATUS) AS STATUS
   values(Currenttime) AS Currenttime
   values(STATUS_TIME) AS STATUS_TIME
   values(LAST_START) AS LAST_START
   values(LAST_END) AS LAST_END
   values(NEXT_START) AS NEXT_START
   values(DAYS_OF_WEEK) AS DAYS_OF_WEEK
   values(EXCLUDE_CALENDAR) AS EXCLUDE_CALENDAR
   values(RUNTIME) AS RUNTIME
   values(Actualstarttime) AS Actualstarttime
   values(Job_start_by) AS Job_start_by
   values(START_SLA) AS START_SLA
   values(AVG_RUN_TIME) AS AVG_RUN_TIME
   BY BOX_NAME

Ciao.

Giuseppe

How to group same values into one value?

table

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to group same values into one value?

table

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0