Splunk Search
Highlighted

How to use dedup on a field, but aggregate all other values in another field?

New Member

I am running a search to identify all users and the URLs they have connected to. The result includes duplicate users, but different URLs. I would like to dedup the users field, but have it list all URLs each user as connected to.

The results currently look like this:

User       URLS
Mak        Cnn.com
Mak        Google.com
Mak        Yahoo.com
Bam        Aljazeera.com
Bam        BBC.com

I would like it to look like this;

User       URLS
Mak        Cnn.com
           Google.com
           Yahoo.com
Bam        Aljazeera.com
           BBC.com

I hope this makes sense.

The current search is .... | table user src_user. If I use the dedup value against the src_user, I lose all the URLs except for one that associates with each user returned in the dedup function.

Thanks,

0 Karma
Highlighted

Re: How to use dedup on a field, but aggregate all other values in another field?

SplunkTrust
SplunkTrust
| yourquery
| stats list(URLS) as URLS by User

View solution in original post

0 Karma
Highlighted

Re: How to use dedup on a field, but aggregate all other values in another field?

SplunkTrust
SplunkTrust

Note that list won't do dedup on URLs, you can use values instead if you want this to happen:

| inputcsv mycsv.csv
| stats values(URLS) as URLS by User
0 Karma
Highlighted

Re: How to use dedup on a field, but aggregate all other values in another field?

New Member

Thanks Javiergn, it works.

0 Karma