Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Remove the repetative values from row

harshal_chakran
Builder
‎01-03-2014 01:55 AM

Hi,

I have written a search query which gives the result as below:

alt text

my search query is:

sourcetype=csv| search 409,1| rex field=_raw "(\d+,){2}(?\d+)"|rex field=_raw "(\d+,){3}(?\d+)"|rex field=_raw "(\d+,){44}(?\d+)"| stats list(fieldid) as field_ID, list(headid) as head_ID,list(head_value) as Value|eval Parameter = "parameter_1"|eval hex= "112"|eval bell_id= "33"|fields Parameter hex bell_ID field_ID head_ID Value

what I want to do is to merge the rows of field_ID and head_ID, if they repeats and sum the "Value" field and show it as single row instead.
as below:-

alt text

Please Help...!!!

Tags (4)
0 Karma
Reply

lguinn2
Legend
‎01-05-2014 10:05 PM

I would use values instead of list in my stats command:

sourcetype=csv 409,1 
| rex field=_raw "(d+,){2}(?<fieldid>d+)"
| rex field=_raw "(d+,){3}(?<headid>d+)"
| rex field=_raw "(d+,){44}(?<head_value>d+)"
| stats values(fieldid) as field_ID, values(headid) as head_ID, sum(head_value) as Value
| eval Parameter = "parameter_1"
| eval hex= "112"
| eval bell_id= "33"
| fields Parameter hex bell_ID field_ID head_ID Value

Also, I don't see a need for the search command - you can put that as part of the first search

But on closer reading, I think this may be what you want:

sourcetype=csv 409,1 
| rex field=_raw "(d+,){2}(?<fieldid>d+)"
| rex field=_raw "(d+,){3}(?<headid>d+)"
| rex field=_raw "(d+,){44}(?<head_value>d+)"
| stats sum(head_value) as sumValue by fieldid headid
| stats list(fieldid) as field_ID, list(headid) as head_ID, list(sumValue) as Value
| eval Parameter = "parameter_1"
| eval hex= "112"
| eval bell_id= "33"
| fields Parameter hex bell_ID field_ID head_ID Value
0 Karma
Reply

linu1988
Champion
‎01-03-2014 02:24 AM

Hello ,
If you just add a sum command with all the distinct fields you will get the desired result.

sourcetype=csv| search 409,1| rex field=_raw "(d+,){2}(?<fieldid>d+)"|rex field=_raw "(d+,){3}(?<headid>d+)"|rex field=_raw "(d+,){44}(?<head_value>d+)"| stats sum(head_value) as Value by fieldid,headid |eval Parameter = "parameter_1"|eval hex= "112"|eval bell_id= "33"|fields Parameter hex bell_ID fieldid headid Value|stats list(fieldid) as field_ID,list(headid) as HeadID,list(Value) as Value by Parameter,hex,bell_ID

Check if this works for you.

Reply

linu1988
Champion
‎01-05-2014 09:54 PM

Could you check if the data is extracted from the rex before doing the stats? Could you post the result

sourcetype=csv| search 409,1| rex field=_raw "(d+,){2}(?d+)"|rex field=_raw "(d+,){3}(?d+)"|rex field=_raw "(d+,){44}(?d+)"|table headid,fieldid,head_value

0 Karma
Reply

harshal_chakran
Builder
‎01-05-2014 08:59 PM

No, it doesn't show any output.
No result is seen even after shorting the query as:

sourcetype=csv| search 409,1| rex field=_raw "(d+,){2}(?d+)"|rex field=_raw "(d+,){3}(?d+)"|rex field=_raw "(d+,){44}(?d+)"| stats sum(head_value) as Value by fieldid,headid

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...