Splunk Search

How to edit my search to prevent getting duplicate results with mvexpand?

smudge797
Path Finder

I have a set of ticket data and trying to match the words with the description to track issues. My current search is getting duplicates and I'm wondering if this is the best approach anyway.

Current search:

index=myindex sourcetype=blah | makemv delim="##Survey##" description | eval description=mvindex(description,0) | makemv description | mvexpand description | search description [ | inputlookup TicketWords.csv | rename Words as description ] | eval description=lower(description)  | top 50 description 

TicketWords.csv = 34 entries under Words
 
Search would match “phone”, but also iphone and causes duplicates. Here is a sample event:

"2016-10-31 08:16:04" incidentId="16245821", active="1", createBy="x213163", fullname="Smith, John", createDate="2016-10-31 12:14:35.817", description="I just migrated to phone and have 2 x 24" monitors.  Both display the same output. Can't change to have two independent monitors.
##Survey##
Please choose the option which best describes your problem.: MONITOR CONFIGURATION ON DESKTOP OR LAPTOP - Do you need assistance setting up multiple monitors on your corporate laptop or desktop?: yes - Your ticket has been identified as an issue that can be resolved with the assistance of the Hub website. Among other features, this site will show you How-To Setup Dual Monitors on a Desktop or Laptop. https://hub.my.net/HowTo/HowToLandingPage?helparticle=6441:  - Did the above solution resolve your issue?: no - Please select an option: I tried applying the solution but it did not fix my issue", groupId="5191", groupName="Blah NA TTT Desktop Enterprise"
0 Karma

Flynt
Splunk Employee
Splunk Employee

It should match the exact terms.

In your subsearch I see desciption in with your criteria.

index=myindex sourcetype=blah | makemv delim="##Survey##" description | eval description=mvindex(description,0) | makemv description | mvexpand description | search description [ | inputlookup TicketWords.csv | rename Words as description ] | eval description=lower(description)  | top 50 description 

Do you get the same results if you remove that term?

index=myindex sourcetype=blah | makemv delim="##Survey##" description | eval description=mvindex(description,0) | makemv description | mvexpand description | search [ | inputlookup TicketWords.csv | rename Words as description ] | eval description=lower(description)  | top 50 description 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...