using 'values' in stats shows values merged

beriwalnishant · ‎11-19-2023

Hello Experts,

I was wondering if you can help me figure out how do I show the merged values in a field as 'unmerged' when use 'values' in stats command

(DETAILS_SVC_ERROR) and (FARE/PRCNG/AVL-MULT. RSNS) are different values .... coming as merged as an example, its merging all values in one when used "Values" OR "List" how to unmerge same

If I use 'mvexpand' it then expands to single count even if the values are same

Thanks in advance

Nishant

PickleRick · ‎11-21-2023

Well, this is how it's supposed to work. list() or values() gives you a multivalued field with a list of values.

If you need something else, you need to do something else.

beriwalnishant · ‎11-20-2023

But then I dont get the individual Totals if I do that along with the message.

ITWhisperer · ‎11-21-2023

Perhaps it would be better for you to show what it is that you do want?

ITWhisperer · ‎11-20-2023

You are correct, mvexpand of a values() or list() field will duplicate the event. If you want to count by ErrorCode separately, include ErrorCode in your by clause of the stats command.

using 'values' in stats shows values merged

count

fields

stats

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

using 'values' in stats shows values merged

count

fields

stats

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0