Splunk Search

tstats values() function removes duplicates from a multivalued field

Explorer

My dashboard queries are based on datamodel. Hence we are using tstats.
We have a use case where we need to mvzip 2 multivalued fields. We are using values() in tstats but values() remove duplicate entries from multivalued field.
In stats we have list() which doesnot remove the duplicate entries and also preserve the order of occurrence of values.
We want a list() equivalent functionality in tstats query which doesnot remove duplicate values and also preserve the order.

Also we cannot keep this field in by clause.

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

View solution in original post

SplunkTrust
SplunkTrust

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!