Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to dedup results based on id only if the field is not empty

anthonycopus
Path Finder
‎10-24-2013 07:31 AM

Hi,

I need help deduplicating in a search where only half the data contains an id. Basically, the old data has a field ses_id : "" whilst the new data will be populated ses_id : "123"

The search ends up with a table where we need a count which only deduplicates the entries which have a number in the ses_id field. A normal dedup is not good enough as it will count all the entries with "" as a single one obviously.

My search is as follows:

index="testindex" app="testapp" action="view" | stats count as views, max(_time) as _time by name

Any help would be appreciated,

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

anthonycopus
Path Finder
‎10-24-2013 08:32 AM

Found an easy fix by changing the field populated with "" to null using the following search in total:

index="testindex" app="testapp" action="view" | eval ses_id=nullif(ses_id,"") | dedup ses_id keepempty=true | stats count as views, max(_time) as _time by name

Changing the field to null is there was no entry meant the keepempty property in the dedup can be used successfully

View solution in original post

Reply
Solved! Jump to solution
Solution

anthonycopus
Path Finder
‎10-24-2013 08:32 AM

Found an easy fix by changing the field populated with "" to null using the following search in total:

index="testindex" app="testapp" action="view" | eval ses_id=nullif(ses_id,"") | dedup ses_id keepempty=true | stats count as views, max(_time) as _time by name

Changing the field to null is there was no entry meant the keepempty property in the dedup can be used successfully

Reply
Solved! Jump to solution

nick405060
Motivator
‎03-14-2019 12:24 PM

tl;dr keepempty=true

I have no idea how I have used Splunk for this long and not known about this. Thanks.

0 Karma
Reply
Solved! Jump to solution

anthonycopus
Path Finder
‎10-24-2013 08:30 AM

Thanks, in the end I found a cleaner alternative:

| eval ses_id=nullif(ses_id,"") | dedup ses_id keepempty=true

Changing the "" in the field to null meant I could use the keepempty function in the search

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-24-2013 07:51 AM

You could try to search for ses_id is not null, dedup the results, and then join a second search that finds those ses_id that are null.

There is not enough info to tell you what field to join on.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...