Splunk Search

How to merge remaining fields into a multivalue field after dedup'ing one field?

Communicator

Hi,

Just as the question says. My current search results in something similar to this:

ip       device
--------------------
111     workstation
--------------------
111     cell_phone
--------------------
111      router
--------------------

Running |dedup ip deletes two entire rows without keeping all 3 device values. Instead, I'd like to have it merge the device field into a multivalue field when duplicate ip values are found like so:

ip       device
--------------------
        workstation
111     cell_phone
         router
--------------------

What command(s) do I need to accomplish this?

0 Karma
1 Solution

Communicator

stats command should work here

base search....
| stats values(device) as device by ip

View solution in original post

0 Karma

Communicator

stats command should work here

base search....
| stats values(device) as device by ip

View solution in original post

0 Karma

Communicator

Ah I was having a brain fart. This did the trick, thanks.

0 Karma

New Member

| stats values(device) as device by ip

0 Karma