Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to keep row data together when using the stats command?

genesiusj
Builder
‎09-11-2020 02:17 PM

Hello,

Is there a way to keep row data together when using the stats command?

ID   Loc   FirstName  LastName

1     NYC   Tom Jones
2     CHI   Peggy Sue
3     BOS   Phil Collins
4     BOS   John Lennon
5     NYC   Paul McCartney

If I used `| stats values(FirstName), values(LastName) BY Loc` I believe I would get this.

BOS   John Collins
      Phil Lennon
CHI   Peggy Sue
NYC   Paul Jones
      Tom McCartney


How do I keep FirstName and LastName together BY Loc?
This is a scaled-down example. I have more than 20 fields, and over 10,000 events.

Thanks in advance.

Stay safe and healthy, you and yours.
God bless,

Genesius

Labels (1)
Labels
0 Karma
Reply

Nextbeat
Path Finder
‎02-22-2024 11:57 AM

When using stats, rather than using values, use list for each field instead:

| stats list(FirstName), list(LastName) by Loc

Tags (3)
0 Karma
Reply

genesiusj
Builder
‎09-14-2020 07:03 AM

@marycordova and @ITWhisperer 

Thank you for your answers.

Your solutions would work if my event contained a few fields. However, the data includes 20+ fields [Loc, FN, LN, Address, City, State, Zip, Phone, ID, etc.]; and will be increasing to over 100 fields. If we mvappend all of these fields, this would be extremely inefficient, as well as make sorting/searching on a specific field(s) very cumbersome.

A colleague suggested using list instead of values: | stats list(FirstName), list(LastName) BY Loc. However, I don't believe Splunk would handle event data where a field was null or blank properly. It would not enter a blank line in the results table.

Thanks again and God bless,
Genesius

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-16-2020 05:15 AM

You are right about nulls/empty strings being omitted from the list so you could try using a space filler

| fillnull value=" " FirstName, LastName
| stats list(FirstName) as FirstName, list(LastName) as LastName by Loc

Note it can't be an empty string

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎09-11-2020 08:40 PM

I like to use mvzip:

 

| eval Name=mvzip('LastName','FirstName',", ")
| stats values(Name) as Name by Loc

 

That gives you something like:

BOSCollins, Phil
Lennon, John
CHISue, Peggy
NYCJones, Tom
McCartney, Paul

 

I use this kind of thing with a DHCP lookup table I build so that the IP to NIC/MAC to hostname to timestamp relationship is preserved.  Otherwise if you just did stats values IP values MAC by hostname you wouldn't know which IP went with which MAC address.  And if you want to preserve a reference history you also need to link these assignments to the date/time they were assigned.  

@marycordova
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 02:46 PM 
| eval joined=mvappend(FirstName, LastName)
| eval joined=mvjoin(joined, " ")
| stats values(joined) as Name BY Loc

Not sure if that's what you meant

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...