Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stats multiple sourcetypes showing unique field question

PPrice
Explorer
‎10-31-2021 05:02 PM

I'm trying to use a key across three sourcetypes to show unique non-multivalue rows using a stats by clause that has a different field in each of the sourcetypes
i.e.
Sourcetype A
NumberA(Key) Date (by clause)

Sourcetype B
NumberB(Key) Username (by clause)

Sourcetype C
NumberC(Key) Version (by clause)

if you use the number field, which is the key across the sourcetypes, as the stats by clause and add the different sourcetype fields as values, it produces multivalue fields (e.g. a number may have multiple dates, or users), where I'm looking for unique rows to show number, Date, Username, Version
e.g.
sourcetype=A OR sourcetype=B OR sourcetype=C
eval number=coalesce(NumberA, NumberB, NumberC)
stats values(sourcetype) values(Date) values(Username) values(Version) by number

I would have thought that you could add the different fields to the stats by clause after the key, but it's not returning anything-
e.g.
sourcetype=A OR sourcetype=B OR sourcetype=C
eval number=coalesce(NumberA, NumberB, NumberC)
stats values(sourcetype) by number Date Username Version

Would this make sense, and is possible?

Labels (2)
Labels
0 Karma
Reply

tread_splunk
Splunk Employee
Splunk Employee
‎11-01-2021 08:16 AM 
Stats values(sourcetype) values(Date) as date values(Username) values(Version)  by number
|mvexpand date
Reply

PPrice
Explorer
‎11-01-2021 12:03 PM

Adding 'as date' in the stats allowed mvexpand to expand across the different sourcetypes, very nice.

Thanks for highlighting it; let me work with it some more and I'll Karma up.

0 Karma
Reply

vhharanpositka
Path Finder
‎10-31-2021 08:15 PM

Hi @PPrice 

 

As per my understanding,

You can use "mvexpand" and "dedup" commands in search to get unique results in rows.

I tried this,

vhharanpositka_0-1635736467752.png

 

Thanks..

Reply

PPrice
Explorer
‎11-01-2021 05:22 AM

The mvexpand didn't seem to work.

I'm trying to produce something like this that contains a unique row that has fields in all three Sourcetypes.

Sourcetypenumber (From all sourcetypes)Date (from SourcetypeA)Username (from SourcetypeB)Version (from SourcetypeC)
SourcetypeA
SourcetypeB
SourcetypeC		1234512/12/2021Fred1.2
SourcetypeA
SourcetypeB
SourcetypeC		1234513/12/2021Fred1.2
SourcetypeA
SourcetypeB
SourcetypeC		1234514/12/2021Fred1.2

 

If I put
 Stats values(sourcetype) values(Username) values(Version) by number,Date
I see these values returned-

Sourcetypenumber(From all sourcetypes)Date (from SourcetypeA)Username (from SourcetypeB)Version (from SourcetypeC)
SourcetypeA1234512/12/2021  
SourcetypeA1234513/12/2021  
SourcetypeA1234514/12/2021  
SourcetypeB12345 Fred 
SourcetypeC12345  1.2

 

If I put
  Stats values(sourcetype) values(Date) values(Username) values(Version)  by number
I see these values returned

Sourcetypenumber(From all sourcetypes)Date (from SourcetypeA)Username (from SourcetypeB)Version (from SourcetypeC)
SourcetypeA
SourcetypeB
SourcetypeC		1234512/12/2021
13/12/2021
14/12/2021		Fred1.2

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...