Splunk Search

How can I hide rows with duplicate values in an xyseries table?

bradj013
Explorer

I have a large table generated by xyseries where most rows have data values that are identical (across the row). I want to hide the rows that have identical values and only show rows where one or more of the values are different or contain the fillnull value (NULL). Consider this xyseries table:

alt text

In this example, the Cows and Horses rows would be hidden because they contain identical data values. Only the Chickens and Pigs rows should be displayed because they have mismatched data values. I have tried dedup but it does not work against the xyseries and it will not catch the missing events where the value is fillnull'ed.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your current search just before the xyseries command, say with field animal, barn, count
| eventstats dc(count) as uniqValues by animal | where uniqValues>1
| xyseries animal barn count

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your current search just before the xyseries command, say with field animal, barn, count
| eventstats dc(count) as uniqValues by animal | where uniqValues>1
| xyseries animal barn count

bradj013
Explorer

No workie 😞

The tail end of my search now looks like this:

| eventstats dc(count) as uniqValues by Object | where uniqValues>1 | xyseries Object computer Version | fillnull value="Missing"

I get no events found when I run this. If I pull out the eventstats and where statements, I get results with duplicates. The object field is made from some strings that are smashed together to give a complete file path. Just for giggles, I created a field called OMD from the md5 sum of the Object field and tweaked your idea accordingly:

| eval OMD=md5(Object) | eventstats dc(count) as uniqValues by OMD | where uniqValues>1 | xyseries Object computer Version | fillnull value="Missing"

Still no results.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your current search WITH xyseries and fillnull command
| untable Object computer Version
| eventstats dc(Version) as uniqValues by Object | where uniqValues>1
| xyseries Object computer Version | fillnull value="Missing"

bradj013
Explorer

This worked! You rock!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...