Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

tstats values() function removes duplicates from a multivalued field

darshildave
Explorer
‎03-27-2019 10:34 PM

My dashboard queries are based on datamodel. Hence we are using tstats.
We have a use case where we need to mvzip 2 multivalued fields. We are using values() in tstats but values() remove duplicate entries from multivalued field.
In stats we have list() which doesnot remove the duplicate entries and also preserve the order of occurrence of values.
We want a list() equivalent functionality in tstats query which doesnot remove duplicate values and also preserve the order.

Also we cannot keep this field in by clause.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...