Why does Xyseries drop duplicates?

Veeru · ‎07-14-2022

index=a host="b" source="0*_R_S_C_ajf" OWNER=dw*
|eval ODate=strptime(ODATE,"%Y%m%d")
|eval ODATE=strftime(ODate,"%Y-%m-%d")
| eval TWIN_ID=substr(JOBNAME,7,2)
|search ODATE="2022-07-13" TWIN_ID="CH"
| xyseries TWIN_ID STATUS APPLIC
|fillnull value="0"
when i select TWIN_ID="CH" it is showing 3 counts but actuall count is 73.I think xyseries is removing duplicates can you please me on this
my output is

TWIN_ID N VALUE Y

CH	DW_tz	DW_l6	DW_1b
cH	0	0	rs_rc
ch	0	DW_dwscd	DW_dwscd

i also tried alternate with chart over
index=a host="b" source="0*_R_S_C_ajf" OWNER=dw*
|eval ODate=strptime(ODATE,"%Y%m%d")
|eval ODATE=strftime(ODate,"%Y-%m-%d")
| eval TWIN_ID=substr(JOBNAME,7,2)
| chart values(APPLIC) as APPLIC over TWIN_ID by STATUS
|mvexpand N
|fillnull value="0"
MYOUTPUT

Thank you in advance

ITWhisperer · ‎07-14-2022

Try list rather than values

index=a host="b" source="0*_R_S_C_ajf" OWNER=dw*
|eval ODate=strptime(ODATE,"%Y%m%d")
|eval ODATE=strftime(ODate,"%Y-%m-%d")
| eval TWIN_ID=substr(JOBNAME,7,2)
| chart list(APPLIC) as APPLIC over TWIN_ID by STATUS
|mvexpand N
|fillnull value="0"

Veeru · ‎07-14-2022

Hello @ITWhisperer

Thanks for reply

I tried the list but still i am getting duplicates

TWIN_ID N VALUE Y

CH

DW_i6

DW_dx

DW_bp

DW_o9

DW_sb

DW_tz

DW_o6

DW_tz

DW_ed

DW_h6

DW_zp

DW_bl

DW_c1

DW_v2

DW_zp

DW_o4

DW_o3

DW_o5

DW_ed

DW_zp

DW_w6

DW_d6

DW_ec

DW_t6

DW_eb

DW_t1

DW_d6

DW_w6

DW_v2

when to mv expand of Y N VALUES I am getting duplicates

CH	DW_tz	DW_e2	DW_t4
CH	DW_tz	DW_v2	DW_t4
CH	DW_tz	DW_zp	DW_t4
CH	DW_tz	DW_e2	DW_t4
CH	DW_tz	DW_g1	DW_t4
CH	DW_tz	DW_dx	DW_t4
CH	DW_tz	DW_o5	DW_t4
CH	DW_tz	DW_c5	DW_t4
CH	DW_tz	DW_o3	DW_t4

ITWhisperer · ‎07-14-2022

Correct - mvexpand works on one field at a time, all other fields are duplicated for each value in the mv-field

If you use mvexpand on multiple fields you will get a cross-product of the events.

Perhaps it would be clear if you give an example of your events and what you expect your result to be

Veeru · ‎07-15-2022

Hello @ITWhisperer

Thanks for reply.
what i got the results

CH

DW_i6

DW_dx

DW_bp

DW_o9

DW_sb

DW_tz

DW_o6

DW_tz

DW_ed

DW_h6

DW_zp

DW_bl

DW_c1

DW_v2

DW_zp

DW_o4

DW_o3

DW_o5

DW_ed

DW_zp

DW_w6

DW_d6

DW_ec

DW_t6

DW_eb

DW_t1

DW_d6

DW_w6

DW_v2

what i except output is

TWIN_ID	Y	VALUE	N
CH	DW_i6	DW_zp	0
CH	DW_dx	DW_h6	DW_2
CH	DW_bp	DW_ed	0
cH	DW_o9	DW_bl	DW_3
ch	DW_sb	DW_c1	0

PickleRick · ‎07-14-2022

Xyseries only spreads values around. If you want aggregation use stats.

<...>
| stats count(APPLIC) AS APPLIC by TWIN_ID STATUS
| xyseries TWIN_ID STATUS APPLIC

Veeru · ‎07-14-2022

MYOUTPUT

TWIN_ID	Y	N
CH	D	DW1 DW2 DWacd
CH	Dw2	DW1 DW2 DWacd
cH	0	DWacd
ch	Dwad	0

Why does Xyseries drop duplicates?

other

stats

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk