Solved: How to create a table using dedup to show one entr...

stuart338 · ‎10-04-2016

I have events that include an application name field and a uservalue field.

When i table the data by application and uservalue, i see each event individually thus meaning i get multiple pages of events with the same application name.

How can I have one entry for each application name and a multivalue field showing the uservalues?

EG: go from

application uservalue
app1            123456
app1            234567
app1            345678
app2            987654
app2            876543
app2            765432

and get :

application uservalue
app1          123456
              234567
              345678
app2          987654
              876543
              765432

It's probably something really easy, but I've stepped away from Splunk for awhile and forget even the easy stuff.

Thanks

dmaislin_splunk · ‎10-04-2016

source="Workbook1.csv" sourcetype="csv" | stats list(uservalue) as UserValue by application

View solution in original post

dmaislin_splunk · ‎10-04-2016

source="Workbook1.csv" sourcetype="csv" | stats list(uservalue) as UserValue by application

stuart338 · ‎10-04-2016

See, i knew it was easy.. Thanks.

How to create a table using dedup to show one entry for each application name and create a multivalue field?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms