Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge remaining fields into a multivalue field after dedup'ing one field?

russell120
Communicator
‎03-07-2019 11:29 AM

Hi,

Just as the question says. My current search results in something similar to this: 

ip       device
--------------------
111     workstation
--------------------
111     cell_phone
--------------------
111      router
--------------------

Running |dedup ip deletes two entire rows without keeping all 3 device values. Instead, I'd like to have it merge the device field into a multivalue field when duplicate ip values are found like so:

ip       device
--------------------
        workstation
111     cell_phone
         router
--------------------

What command(s) do I need to accomplish this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pkeenan87
Communicator
‎03-07-2019 11:41 AM

stats command should work here

base search....
| stats values(device) as device by ip

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pkeenan87
Communicator
‎03-07-2019 11:41 AM

stats command should work here

base search....
| stats values(device) as device by ip
0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎03-07-2019 11:55 AM

Ah I was having a brain fart. This did the trick, thanks.

0 Karma
Reply
Solved! Jump to solution

daljeanis_rtp
New Member
‎03-07-2019 11:33 AM

| stats values(device) as device by ip

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...