Splunk Search

How to prevent stats values () function from grouping equal values?

dasveruckte
New Member

Search String

index=myindex sourcetype=mysourcetype | rex "\.(?<host_domain>.+)$" field=host | lookup host_domain Domain AS host_domain OUTPUT Market System "System Name" | search assetId=1111111111111 | stats values(System) as Systems values(provider) as Provider values(providerId) as ProviderID values(createTime) as ProvisionTime values(Licensing_Window_Start) as Window_Start values(Licensing_Window_End) as Window_End values(opState) as OpState by assetId product | eval ProvisionTime=strftime(ProvisionTime,"%m/%d/%y %H:%M:%S")

createTime

Values    Count    %     
1446874404  4   80%     
1446874403  1   20% 

Host Count

Values   Count    %      
Host01  1   20%     
Host02     1    20%     
Host03  1   20%     
Host04     1    20%     
Host05  1   20%     

The results looks like

assetId   product   Systems   Provider   ProviderID   ProvisionTime      Window_Start   Window_End   OpState
  AAA     ABC   host01      ABCD       ABCDE      11/07/15 00:33:23
                    host02                            11/07/15 00:33:24
                    host03                                                    
                    host04                                                    
                    host05                                                    

What I am looking for is for the results to look like, even if the values in ProvisionTime are the same

assetId   product   Systems   Provider   ProviderID   ProvisionTime      Window_Start   Window_End   OpState
  AAA     ABC   host01      ABCD       ABCDE      11/07/15 00:33:23
                    host02                            11/07/15 00:33:23
                    host03                            11/07/15 00:33:23                        
                    host04                            11/07/15 00:33:23                        
                    host05                            11/07/15 00:33:24
0 Karma
1 Solution

jluo_splunk
Splunk Employee
Splunk Employee

Hi dasveruckte,

If you'd like a list of all values instead of unique values, you can use list() in place of values()

View solution in original post

jluo_splunk
Splunk Employee
Splunk Employee

Hi dasveruckte,

If you'd like a list of all values instead of unique values, you can use list() in place of values()

dasveruckte
New Member

That works thanks!!

0 Karma

dasveruckte
New Member

Format doesn't look good here is another version.

Systems     createTime
host01      11/07/15 00:33:23
host02      11/07/15 00:33:24
host03
host04 

Looking for

Systems     createTime
host01      11/07/15 00:33:23
host02      11/07/15 00:33:23
host03      11/07/15 00:33:23
host04      11/07/15 00:33:24
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...