Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

tstats values() function removes duplicates from a multivalued field

darshildave
Explorer
‎03-27-2019 10:34 PM

My dashboard queries are based on datamodel. Hence we are using tstats.
We have a use case where we need to mvzip 2 multivalued fields. We are using values() in tstats but values() remove duplicate entries from multivalued field.
In stats we have list() which doesnot remove the duplicate entries and also preserve the order of occurrence of values.
We want a list() equivalent functionality in tstats query which doesnot remove duplicate values and also preserve the order.

Also we cannot keep this field in by clause.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...