Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Removing duplicates in exported Report results

asarolkar
Builder
‎01-30-2013 04:23 PM

I have a search like this which produces the result I want (it counts modules per account number and location - the log has moduleId, account number and location)

sourcetype="accountLog" ModuleID=* accountLocation=* | dedup ModuleID | stats count(ModuleID) AS Total by accountNumber, accountLocation




These are the results I get in the correct format.

AccountNumber | Account Location | Total

    1234                   US            123

    1234                   EU             545

How do I get rid of the Account number appearing multiple times?
Can we selectively stop it from duplicating row values for just this column (without using dedup - i cannot use dedup here for obvious reasons) ?

Before an answer is proposed I already know about using list(values).

If I append list(values) by to my current filter, it works, but when i export it into a CSV file (or get splunk to run a query to generate it inline).

I am trying to get non-duplicates for that column in the exported CSV.

Any suggestions ?

Tags (3)
0 Karma
Reply

jeff
Contributor
‎01-31-2013 08:47 AM

Well you could do what you want with some stats functions... something like

sourcetype="accountLog" ModuleID=* accountLocation=* | dedup ModuleID
| stats count(ModuleID) AS Total by accountNumber, accountLocation
| sort Total desc
| eval location=accountLocation.": ".Total
| stats list(location) by accountNumber

should give you a report with two columns

accountNumber | location
1234            EU: 545
                US: 123
Reply

asarolkar
Builder
‎01-31-2013 11:52 PM

Man that was a brilliant solution !
Splunk is not excel. I get that.

But this solution saved us a lot of work.

Reply

yannK
Splunk Employee
Splunk Employee
‎01-31-2013 08:35 AM

This is splunk not excel, you kind of need a value for each field of each event .....

you could play with streamstats to create a new field for the column that will be empty if this is the same than the previous one.

Reply

asarolkar
Builder
‎01-31-2013 07:37 AM

That is correct !

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:35 AM

Just to be sure I understand your goal, is this the result you're looking for?

AccountNumber | Account Location | Total
1234            US                 123
                EU                 545

In other words, still two rows but empty in row 2 column 1?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...