Solved: How to remove duplicate values in a column of tabl...

priya1926 · ‎02-10-2022

My Query is

index=windows Type=Disk host IN (abc) FileSystem="*" DriveType="*" Name="*"
| dedup host, Name
| table _time, host, Name
| sort host, Name
| join type=left host [| search index=perfmon source="Perfmon:CPU" object=Processor collection=CPU counter="% Processor Time" instance=_Total
host IN (abc)
| convert num(Value) as value num(pctCPU) as value
| stats avg(value) as "CPUTrend" max(value) as cpu_utz by host
| eval "Max Peak CPU" = round(cpu_utz, 2)
| eval "CPUTrend"=round(CPUTrend, 2)
| fields - cpu_utz
| sort -"Peak CPU"
| rename "Max Peak CPU" AS "maxCPUutil"
| dedup "maxCPUutil"
| table _time, host, "maxCPUutil"]
| table host, "maxCPUutil", Name

I have this below output

host maxCPUutil Name

host maxCPUutil Name
abc 5.59 c:
abc 5.59 E:
abc 5.59 F:

What i want is

host maxCPUutil Name
abc 5.59 C:
E:
F:

ITWhisperer · ‎02-11-2022

Yes, you will either get a row for each Name with the data repeated when the host and maxCPUtil don't change; or a row for each host and maxCPUtil with a multivalue field of Names

View solution in original post

ITWhisperer · ‎02-10-2022

| stats values(Name) as Name by host maxCPUutil

priya1926 · ‎02-10-2022

but @ITWhisperer my result has multiple hosts.. Not single host. Output should be

1. abc 35.16 C:
2. 😧
3. E:
4. def 45.56 C:
5. I:
6. J and etc

ITWhisperer · ‎02-10-2022

I am not sure I understand the issue - the host is mentioned in the by clause so you should get a line for each host maxCPUutil combination with the Names listed in a multivalue field.

priya1926 · ‎02-11-2022

@ITWhisperer any alternate method?

ITWhisperer · ‎02-11-2022

What happened when you added the line I suggested already?

priya1926 · ‎02-11-2022

its like all the drive letters are coming in a single cell, single row.. they need to come in different rows.

PickleRick · ‎02-11-2022

You could do that but what for? What's the point of having results regarding the same entity with no connection to one another? If you, for example, resort the results you can't say which host the "empty" rows are for.

ITWhisperer · ‎02-11-2022

| mvexpand Name

priya1926 · ‎02-11-2022

same like earlier

ITWhisperer · ‎02-11-2022

Yes, you will either get a row for each Name with the data repeated when the host and maxCPUtil don't change; or a row for each host and maxCPUtil with a multivalue field of Names

How to remove duplicate values in a column of table

eval

field extraction

fields

join

other

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!