Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Removing duplicates in exported Report results

asarolkar
Builder
‎01-30-2013 04:23 PM

I have a search like this which produces the result I want (it counts modules per account number and location - the log has moduleId, account number and location)

sourcetype="accountLog" ModuleID=* accountLocation=* | dedup ModuleID | stats count(ModuleID) AS Total by accountNumber, accountLocation




These are the results I get in the correct format.

AccountNumber | Account Location | Total

    1234                   US            123

    1234                   EU             545

How do I get rid of the Account number appearing multiple times?
Can we selectively stop it from duplicating row values for just this column (without using dedup - i cannot use dedup here for obvious reasons) ?

Before an answer is proposed I already know about using list(values).

If I append list(values) by to my current filter, it works, but when i export it into a CSV file (or get splunk to run a query to generate it inline).

I am trying to get non-duplicates for that column in the exported CSV.

Any suggestions ?

Tags (3)
0 Karma
Reply

jeff
Contributor
‎01-31-2013 08:47 AM

Well you could do what you want with some stats functions... something like

sourcetype="accountLog" ModuleID=* accountLocation=* | dedup ModuleID
| stats count(ModuleID) AS Total by accountNumber, accountLocation
| sort Total desc
| eval location=accountLocation.": ".Total
| stats list(location) by accountNumber

should give you a report with two columns

accountNumber | location
1234            EU: 545
                US: 123
Reply

asarolkar
Builder
‎01-31-2013 11:52 PM

Man that was a brilliant solution !
Splunk is not excel. I get that.

But this solution saved us a lot of work.

Reply

yannK
Splunk Employee
Splunk Employee
‎01-31-2013 08:35 AM

This is splunk not excel, you kind of need a value for each field of each event .....

you could play with streamstats to create a new field for the column that will be empty if this is the same than the previous one.

Reply

asarolkar
Builder
‎01-31-2013 07:37 AM

That is correct !

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-31-2013 01:35 AM

Just to be sure I understand your goal, is this the result you're looking for?

AccountNumber | Account Location | Total
1234            US                 123
                EU                 545

In other words, still two rows but empty in row 2 column 1?

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...