Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

tstats values() function removes duplicates from a multivalued field

darshildave
Explorer
‎03-27-2019 10:34 PM

My dashboard queries are based on datamodel. Hence we are using tstats.
We have a use case where we need to mvzip 2 multivalued fields. We are using values() in tstats but values() remove duplicate entries from multivalued field.
In stats we have list() which doesnot remove the duplicate entries and also preserve the order of occurrence of values.
We want a list() equivalent functionality in tstats query which doesnot remove duplicate values and also preserve the order.

Also we cannot keep this field in by clause.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...