Splunk Search

get the single value out of multiple

abhayneilam
Contributor

Hi,

I have the input like this :

Name Location


abhay kol,mumbai,kol
murari mumbai,chennai
trid delhi,delhi
xyz haridwar

My output should be like :

Name Location


abhay kol,mumbai
murari mumbai,chennai
trid delhi
xyz haridwar

If any double data is there in Location filed then it should be removed, I want to display only single value !!

Please help !!

Thanks
Abhay

0 Karma

sideview
SplunkTrust
SplunkTrust

You can do this by turning the Location into a multivalued field, and then using stats values to get only the distinct values for each Name.

<your search here> | eval Location=split(Location,",") | stats values(Location) as Location by Name

This makes a couple assumptions -- each Name value only appears in one row in your search results, and the comma character never makes an appearance in your actual Location values.

0 Karma

abhayneilam
Contributor

my input has some blank value also in the Location field:

Name Location


abhay kol,mumbai,kol
murari mumbai,chennai
trid delhi,delhi
xyz haridwar
abc
mno

my output should be like this :

Name Location
abhay kol,mumbai
murari mumbai,chennai
trid delhi
xyz haridwar
abc
mno

0 Karma

abhayneilam
Contributor

This is my search:

index="maa" | rex max_match=9999 field="Location" (?(?i)"(delhi|mumbai|kol|bu is)")|eval final=mvjoin(ONE,",")| table Name Age Location final | sort final + desc

0 Karma

bmacias84
Champion

Ok, another off the cuff search.


...| makemv delim="," Location | dedup Location | eval Location =mvjoin(Location ,",") | table Name, Location

or


...| makemv delim="," Location | dedup Location | eval Location=if(Name=Name,mvjoin(Location ,","),Location) | table Name, Location

0 Karma

kristian_kolb
Ultra Champion

Could you please also post

a) some sample events
b) the search that produces the first table

/k

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>