Knowledge Management

String concatentation (strcat command) is duplicating results

dbcase
Motivator

Hi,

I have this data

Properties: {   [-] 
         analyticsConfigs:  {   [+] 
        }   
         appVersion:     9.0.0  
         buildTarget:    blah   
         category:   Event  
         networkStatus: {   [-] 
         NT:     3  
        }   
         osName:     iOS    
         platformData:  {   [-] 
         BL:     1  
         BP:     87 
         FF:     1  
         HC:     Apple  
         HM:     iPhone7,2  
         HS:     3oiH88BN7fhGnT45o4s3NVO2rhbUBkTU8J74xBdGuJUMYytJqZQg9c1R_hIObb5wc1CKyNDXepajsVXA   
         LL:     en 
         LO:     US 
         OJ:     10.3.3 
         OS:     1  
         SA:     49953583104    
         ST:     63989493760    
         SU:     14035910656    
         UI:     17812487-32B5-4544-93F8-A3031EB2B0A6   
        }   
    }   
     analyticType:   SessionStart   
     buildTarget:    blah   
     clientSessionId:    DXFOS-CARQDTE  

and this query

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|stats count by oo

the query "works" but it appears that strcat is duplicating values because the results look like this

Android Android 6.0.1 6.0.1
Android Android 7.0 7.0
Android Android 7.1.1 7.1.1 
Android Android 8.0.0 8.0.0
iOS iOS 10.2.1 10.2.1

etc

Am I doing something I should'nt???

0 Karma
1 Solution

dbcase
Motivator

yep there are dups

os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0

I'll get with support as they setup the extraction.... Thank you!!!

View solution in original post

0 Karma

dbcase
Motivator

yep there are dups

os osversion
iOS
iOS
11.1.2
11.1.2
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0
iOS
iOS
11.1.1
11.1.1
Android
Android
7.0
7.0
Android
Android
7.0
7.0

I'll get with support as they setup the extraction.... Thank you!!!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Run this and see if you still see duplicate values .

 index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | table os osversion

If you do, it seems there are multiple field extraction being setup (may be you used INDEXED_EXTRACTION and KV_MODE to json in props.conf of both indexer/search head).

dbcase
Motivator

I also "fixed" (well that is generous.... I kinda hacked at it) the problem by doing this

index=wholesale_app buildTarget=blah analyticType=SessionStart   |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null"|strcat os " " osversion oo|rex field=oo "(Android|iOS)\s(?<ooo>\w+\s[^\s]+)"|stats count by ooo
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Works. Another method:

index=wholesale_app buildTarget=blah analyticType=SessionStart      |rename Properties.osName as os Properties.platformData.OJ as osversion|where osversion!="null" | eval os=mvdedup(os) | eval osversion=mvdedup(osversion) |strcat os " " osversion oo|stats count by ooo

You can also use mvindex(<<FIELDNAME>>,-1) instead of mvdedup.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...