Solved: How to merge remaining fields into a multivalue fi...

russell120 · ‎03-07-2019

Hi,

Just as the question says. My current search results in something similar to this:

ip       device
--------------------
111     workstation
--------------------
111     cell_phone
--------------------
111      router
--------------------

Running |dedup ip deletes two entire rows without keeping all 3 device values. Instead, I'd like to have it merge the device field into a multivalue field when duplicate ip values are found like so:

ip       device
--------------------
        workstation
111     cell_phone
         router
--------------------

What command(s) do I need to accomplish this?

pkeenan87 · ‎03-07-2019

stats command should work here

base search....
| stats values(device) as device by ip

View solution in original post

pkeenan87 · ‎03-07-2019

stats command should work here

base search....
| stats values(device) as device by ip

russell120 · ‎03-07-2019

Ah I was having a brain fart. This did the trick, thanks.

daljeanis_rtp · ‎03-07-2019

| stats values(device) as device by ip

How to merge remaining fields into a multivalue field after dedup'ing one field?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!