Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove duplicate values only in one column out of four columns?

im_bharath
Path Finder
‎11-21-2022 04:36 AM

Hello All, 

When using the "stats count by column1, column2, column3, column4"

I get the below result 

Existing table : 

column1 column2 column3 column4
XXXXXXXX YYYYY A 123
XXXXXXXX YYYYY B 123
XXXXXXXX YYYYY C 123
XXXXXXXX YYYYY D 123
XXXXXXXX YYYYY E 123

 

Where as I need this result :

column1 column2 column3 column4
XXXXXXXX YYYYY A 123
    B  
    C  
    D  
    E  

 

Could somebody please help me with the query? 

Thanks, 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 04:48 AM

Hi @im_bharath,

please try something like this:

<your_search>
| stats 
   count AS column4 
   values(column2) AS column2 
   values(column3) AS column3 
   BY column1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 04:48 AM

Hi @im_bharath,

please try something like this:

<your_search>
| stats 
   count AS column4 
   values(column2) AS column2 
   values(column3) AS column3 
   BY column1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

im_bharath
Path Finder
‎11-21-2022 05:16 AM

Hey @gcusello

That worked.. thanks a lot. 

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-21-2022 04:47 AM

@im_bharath 

Can you please try this?

YOUR_SEARCH
| streamstats count by column1 column2	column4
| eval column1=if(count==1,column1,""), column2=if(count==1,column2,""),column4=if(count==1,column4,"")
|fields - count

 

My Sample Search :

| makeresults 
| eval _raw="column1	column2	column3	column4
XXXXXXXX	YYYYY	A	123
XXXXXXXX	YYYYY	B	123
XXXXXXXX	YYYYY	C	123
XXXXXXXX	YYYYY	D	123
XXXXXXXX	YYYYY	E	123
1XXXXXXXX	1YYYYY	A	1234
1XXXXXXXX	1YYYYY	B	1234
1XXXXXXXX	1YYYYY	C	1234
1XXXXXXXX	1YYYYY	D	1234
1XXXXXXXX	1YYYYY	E	1234" 
| multikv forceheader=1
| table column1	column2	column3	column4
| rename comment as "upto this is sample data"
| streamstats count by column1 column2	column4
| eval column1=if(count==1,column1,""), column2=if(count==1,column2,""),column4=if(count==1,column4,"")
|fields - count

 

Screenshot 2022-11-21 at 6.17.05 PM.png

I hope this will help you.

 Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.



Reply
Solved! Jump to solution

im_bharath
Path Finder
‎11-22-2022 01:34 AM

Hey @kamlesh_vaghela ,

I have tried below SPL query as suggested by you, 

| multikv forceheader=1
| table column1	column2	column3	column4
| rename comment as "upto this is sample data"
| streamstats count by column1 column2	column4
| eval column1=if(count==1,column1,""), column2=if(count==1,column2,""),column4=if(count==1,column4,"")
|fields - count

so i got below result similar to the other post, but we were getting the multiple values for column3 like 1,1,2,3,3,3,3,4,5,5,5,6,6, instead of 1,2,3,4,5,6 

So i have added the "dedup column3" to your search and it removed the duplicate results. 

Thank you for the solution. 

0 Karma
Reply
Solved! Jump to solution

im_bharath
Path Finder
‎11-21-2022 05:17 AM

Hey @kamlesh_vaghela

I will try and let you know if this works as well or not.. 

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...