Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Working with eventtypes: how to solve duplicated rows into results

nik_splunk
Path Finder
‎05-25-2010 08:04 AM

Good morning,

I'm developing for a customer a very simple search.

tag=mysourcetype tag=myeventtype startdaysago=7 tag= | stats count by _time,User_Name,"tag::eventtype" ....

An example could be as follow:

tag::sourcetype=WINDOWS tag::eventtype=an_action startdaysago=7 tag=groupfoo | stats count by _time,User_Name,"tag::eventtype" ...

I'm using several eventtypes to identify :

an_action = there are approximatly 60 eventcode saved as eventype to identify 5 categories of actions

groupfoo = there are eventtypes to identify those groups.

Customer wants a simple table where is clear

WHEN, WHO, WHAT.

Troubles are regarding WHAT:

| stats count by _time,User_Name,"tag::eventtype"

produces good rows (those regarding action ) but also I get duplicated results because groupfoo eventtypes. I mean that also goupfoo is defined as eventtype so for each time I get duplicated results: one (or more) by the perspective of action and this is what I'm looking for. Another one by the perspective of groupfoo : this is the sum of all the previous rows.

Using inputlookup command, results aren't better:

I built a lookup table for all those events I'm interested in, but:

|input lookup mylookuptable.csv ---> works

tag::sourcetype=WINDOWS startdaysago=7 tag= [|input lookup mylookuptable.csv | format ]| stats count by _time,User_Name, ...

returns 0 events

Where I wrong?

Thanks in advance for your time and for any suggestions you would gently provide

Nik

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 08:48 PM

Hi Nik,

I don't think that this is because of the output of the initial search, whether you use tag= or the inputlookup. Splunk will not emit the same event twice to the rest of the search string. The issue is probably that stats count will emit two rows if the tag::eventtype is a multivalued field (that is, there are two tags for the eventtype in the same event).

The easiest thing to do here is to use the mvcombine command to flatten the tag::eventtype into a single valued field. You may want to filter out the tags to be those that match your "whats." For example, you may want to have the search be:

tag::sourcetype=WINDOWS tag::eventtype=an_action startdaysago=7 tag=groupfoo | eval what=mvfilter(tag::eventtype LIKE "what-%") | mvcombine what | stats count by _time,User_Name,what ...

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 08:48 PM

Hi Nik,

I don't think that this is because of the output of the initial search, whether you use tag= or the inputlookup. Splunk will not emit the same event twice to the rest of the search string. The issue is probably that stats count will emit two rows if the tag::eventtype is a multivalued field (that is, there are two tags for the eventtype in the same event).

The easiest thing to do here is to use the mvcombine command to flatten the tag::eventtype into a single valued field. You may want to filter out the tags to be those that match your "whats." For example, you may want to have the search be:

tag::sourcetype=WINDOWS tag::eventtype=an_action startdaysago=7 tag=groupfoo | eval what=mvfilter(tag::eventtype LIKE "what-%") | mvcombine what | stats count by _time,User_Name,what ...
Reply
Solved! Jump to solution

nik_splunk
Path Finder
‎06-23-2010 08:10 AM

Hello Marklar, sorry for my 'silly' question but You're absolutely right..Thanks a lot !

0 Karma
Reply
Solved! Jump to solution

Marklar
Splunk Employee
Splunk Employee
‎06-21-2010 09:15 PM

Hi nik - eval thinks the '::' in the tag is an operator. When you have a field with special characters in an eval expression, surround that field with single quotes or dollar signs. Try this: eval what=mvfilter('tag::eventtype' LIKE "what-%")

0 Karma
Reply
Solved! Jump to solution

nik_splunk
Path Finder
‎06-21-2010 03:08 PM

piping

eval what=mvfilter(tag::eventtype LIKE "what-%") exits with this error

Error in 'eval' command: Malformed expression - ) expected.

Any IDEA? Tks

0 Karma
Reply
Solved! Jump to solution

nik_splunk
Path Finder
‎06-06-2010 11:11 AM

Hi Stephen,

thanks so much for your time: I really appreciate your support and your professionalism.

Have a good day!

nik

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...