Result of subsearch field repeated instead of disp...

mahbs · ‎01-18-2018

Hi,

I have a could of fields that contain multiple values, and I am trying to seperate them into sepereate records. The following query works 90%. The only issue is that the last field in the subsearch is not displaying the unique valeus, for example it may contain the value: 2,3 but it will only display 2. Every other field works fine in terms of displaying all the unique values per record. This is the current query I have:

index=index sourcetype=csv source=src1 host=host1 
 | stats count by ITEM field2 field3 field4 
 | rename field2 as F_2 field3 as F_3 field4 as F_4 
 | join ITEM 
     [ search index=index sourcetype=csv source=src2 host=host2 
     | stats count by SKU c_2 c_3 c_4 
     | rename SKU as ITEM | rename c_2 as C_2 c_3as C_3 c_4as C_4 ] 
 | eval DIFF1=F2-C_2 
 | eval DIFF2=F_3-C_3 
 | sort limit=0 ITEM 
 | table ITEM, F_2, F_3, F_4, c_2, c_3, c_4, DIFF1, DIFF2

Can someone suggest what I can do to fix the problem?

Thanks

cmerriman · ‎01-18-2018

if your fields are a multivalued list, splunk only brings back the first value. try adding |nomv C_4 at the end of your subsearch to convert it to a single value. you can also try having |mvcombine delim="," C_4 before the nomv to add a comma between the values.

http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Mvcombine
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Nomv

493669 · ‎01-18-2018

could you specify in detail which subsearch is not displaying unique values and what is the output you are getting and what is expected?

mahbs · ‎01-18-2018

Hi,
yep, the sub-search is where source=src2. Essentially C_4has multiple values, and im trying to seperate these values into seperate records which is working for the most part, but c_4 for some reason isn't displaying all the multiple values, it's just repeating, where as all the other fields are displaying the multiple data.

This is the output I want:
ITEM: 1234 F_2=22 F_3=21 F_4=23
ITEM: 1234 C_2=1 C_3=2 C_4=2

I hope that makes sense

493669 · ‎01-18-2018

could you please run only subsearch i.e.

search index=index sourcetype=csv source=src2 host=host2
| stats count by SKU c_2 c_3 c_4
| rename SKU as ITEM | rename c_2 as C_2 c_3 as C_3 c_4 as C_4

what output you are getting and what is expeced...

mahbs · ‎01-18-2018

I'm getting a list of all the data for the fields I have specified in the query

mahbs · ‎01-18-2018

There's also count column at the end

493669 · ‎01-18-2018

do you require count field else you should remove it using |fields - count

mahbs · ‎01-18-2018

yeah but that's not the problem at the moment

493669 · ‎01-18-2018

also why you are renaming same field in subsearch....else query looks fine ..if you could share dummy data for source=src2 and src1 then I can try

mahbs · ‎01-18-2018

I'm not sure if the join is working properly

Result of subsearch field repeated instead of displaying unique values

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...