Solved: how to remove duplicates in appended queries

rkishoreqa · ‎02-20-2021

I used the below query, here some applications are like appname and some like appname.application. So I added app1*,app2*,....
Now the counts are perfect and getting the duplicate application names.

index="index1" ApplicationName IN (app1*,app2*,app3*,app4*,app5*,app6*,app7*,app8*,app9*)
| chart count(ApplicationName) over ApplicationName by Status
| addtotals
| append
[| makeresults
| eval ApplicationName=split("app1,app2,app3,app4,app5,app6,app7,app8,app9", ",")
| mvexpand ApplicationName
| fields - _time ]
| fillnull value=0
| stats max(*) as * by ApplicationName

Can anyone please help me on this.

scelikok · ‎02-22-2021

Hi @rkishoreqa,

Can you try renaming fields like this?

index="index1" ApplicationName IN (app1*,app2*,app3*,app4*,app5*,app6*,app7*,app8*,app9*) 
| chart count(ApplicationName) over ApplicationName by Status 
| eval ApplicationName=mvindex(split(ApplicationName,"."),0) 
| stats sum(*) as * by ApplicationName
| addtotals 
| append 
    [| makeresults 
    | eval ApplicationName=split("app1,app1.app,app2,app3,app4,app5,app6,app7,app8,app9", ",") 
    | mvexpand ApplicationName 
    | fields - _time ] 
| fillnull value=0 
| stats max(*) as * by ApplicationName

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎02-22-2021

Hi @rkishoreqa,

Can you try renaming fields like this?

index="index1" ApplicationName IN (app1*,app2*,app3*,app4*,app5*,app6*,app7*,app8*,app9*) 
| chart count(ApplicationName) over ApplicationName by Status 
| eval ApplicationName=mvindex(split(ApplicationName,"."),0) 
| stats sum(*) as * by ApplicationName
| addtotals 
| append 
    [| makeresults 
    | eval ApplicationName=split("app1,app1.app,app2,app3,app4,app5,app6,app7,app8,app9", ",") 
    | mvexpand ApplicationName 
    | fields - _time ] 
| fillnull value=0 
| stats max(*) as * by ApplicationName

If this reply helps you an upvote and "Accept as Solution" is appreciated.

tscroggins · ‎02-21-2021

@rkishoreqa

To remove the duplicate ApplicationName values with counts of 0 in the various Status columns, untable and then re-chart the data by replacing your final stats command with the following two commands:

| untable ApplicationName Status count
| chart max(count) over ApplicationName by Status

ITWhisperer · ‎02-21-2021

I am not clear what it is you are asking - you have have counts which are correct and you have the extra values for the apps you added - is this not what you expected or are you trying to do something different?

rkishoreqa · ‎02-21-2021

@ITWhisperer
I am preparing a query to get the Application Vs Status counts along with the Applications which are not having the transactions (like below table). Below is the query that I was prepared. As I said earlier here some applications are like app1,app2... and some like app3.application, app4.application......

ApplicationName Success Failed Total
app1 0 0 0
app2 3 0 3
app3 0 0 0
app4 0 0 0
app5 9 1 10
app6 0 0 0
app7 0 0 0

@tscroggins I tried with the two commands given by you, but no difference.

tscroggins · ‎02-21-2021

Here's a functional example using _internal logs that you can adapt to your source type:

If you need totals, add the addtotals command to the end of the search:

For example:

how to remove duplicates in appended queries

stats

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform