how to get both values after finding duplicate

kirrusk · ‎06-11-2020

Hi

I'm trying to find duplicate values of a field by using below query.

index = internal source type="*" Space="*" App="*" | eval App=lower(APP) | dedup Space,APP | stats count by APP | where count>1

getting result as

APP count

app 1 2

app 2 2

now i want to display both values like

APP count

app1 1

APP1 1

APP2 1

app2 1

I'm not able to find a way to get the results like above.

Can someone help on this

bowesmana · ‎06-14-2020

Your initial stats count by APP would indicate that the values APP1 and APP2 are not values of APP, but maybe you meant

stats count by App

in which case, app1 and APP1 would be both app1 in the field App, but would have the original values in APP field.

Can you provide a better example of your data, however, these examples may help

stats values(APP) as APP count by App
| where count > 1

OR

| eventstats count as APP_Count by APP
| stats list(APP) as APP list(APP_Count) as APP_Count by App
| where count > 1

Neither give you exactly what you are after, but if you can provide a clearer example of the input data, I can help

Field names are case sensitive in Splunk, so can you clarify what App in the data is, if you immediately are reassigning it to the lower(APP) in the first command after the pipe

how to get both values after finding duplicate

fields

join

other

stats

subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!