Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

tstats values() function removes duplicates from a multivalued field

darshildave
Explorer
‎03-27-2019 10:34 PM

My dashboard queries are based on datamodel. Hence we are using tstats.
We have a use case where we need to mvzip 2 multivalued fields. We are using values() in tstats but values() remove duplicate entries from multivalued field.
In stats we have list() which doesnot remove the duplicate entries and also preserve the order of occurrence of values.
We want a list() equivalent functionality in tstats query which doesnot remove duplicate values and also preserve the order.

Also we cannot keep this field in by clause.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-28-2019 05:17 AM

@darshildave,

You can not use list() with tstats. But if you want to use mvzip for certain fields then I have a workaround for you. As you want to do mvzip then I believe your fields are multivalued.

In this case, You have to add one more EVAL field in datamodel.

Eg,
I have datamodel DM1 with field A and B multivalued fields. You can not achieve the value correlation between field A and B.

So, I have created one more field in datamodel which can hold the result of mvzip of field A and B. Which will give me multivalue of comma separated values of filed A and B

like.

A   B
a   b
aa  bb
aaa bbb
aaa bbbb

New field looks like

c
a,b
aa,b
aaa,bbb
aaa,bbbb

Now just do mvexpand and use mvindex and split to get individual value.

Try and let me know if you face any issue.

Thanks

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...