Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stats multiple sourcetypes showing unique field question

PPrice
Explorer
‎10-31-2021 05:02 PM

I'm trying to use a key across three sourcetypes to show unique non-multivalue rows using a stats by clause that has a different field in each of the sourcetypes
i.e.
Sourcetype A
NumberA(Key) Date (by clause)

Sourcetype B
NumberB(Key) Username (by clause)

Sourcetype C
NumberC(Key) Version (by clause)

if you use the number field, which is the key across the sourcetypes, as the stats by clause and add the different sourcetype fields as values, it produces multivalue fields (e.g. a number may have multiple dates, or users), where I'm looking for unique rows to show number, Date, Username, Version
e.g.
sourcetype=A OR sourcetype=B OR sourcetype=C
eval number=coalesce(NumberA, NumberB, NumberC)
stats values(sourcetype) values(Date) values(Username) values(Version) by number

I would have thought that you could add the different fields to the stats by clause after the key, but it's not returning anything-
e.g.
sourcetype=A OR sourcetype=B OR sourcetype=C
eval number=coalesce(NumberA, NumberB, NumberC)
stats values(sourcetype) by number Date Username Version

Would this make sense, and is possible?

Labels (2)
Labels
0 Karma
Reply

tread_splunk
Splunk Employee
Splunk Employee
‎11-01-2021 08:16 AM 
Stats values(sourcetype) values(Date) as date values(Username) values(Version)  by number
|mvexpand date
Reply

PPrice
Explorer
‎11-01-2021 12:03 PM

Adding 'as date' in the stats allowed mvexpand to expand across the different sourcetypes, very nice.

Thanks for highlighting it; let me work with it some more and I'll Karma up.

0 Karma
Reply

vhharanpositka
Path Finder
‎10-31-2021 08:15 PM

Hi @PPrice 

 

As per my understanding,

You can use "mvexpand" and "dedup" commands in search to get unique results in rows.

I tried this,

vhharanpositka_0-1635736467752.png

 

Thanks..

Reply

PPrice
Explorer
‎11-01-2021 05:22 AM

The mvexpand didn't seem to work.

I'm trying to produce something like this that contains a unique row that has fields in all three Sourcetypes.

Sourcetypenumber (From all sourcetypes)Date (from SourcetypeA)Username (from SourcetypeB)Version (from SourcetypeC)
SourcetypeA
SourcetypeB
SourcetypeC		1234512/12/2021Fred1.2
SourcetypeA
SourcetypeB
SourcetypeC		1234513/12/2021Fred1.2
SourcetypeA
SourcetypeB
SourcetypeC		1234514/12/2021Fred1.2

 

If I put
 Stats values(sourcetype) values(Username) values(Version) by number,Date
I see these values returned-

Sourcetypenumber(From all sourcetypes)Date (from SourcetypeA)Username (from SourcetypeB)Version (from SourcetypeC)
SourcetypeA1234512/12/2021  
SourcetypeA1234513/12/2021  
SourcetypeA1234514/12/2021  
SourcetypeB12345 Fred 
SourcetypeC12345  1.2

 

If I put
  Stats values(sourcetype) values(Date) values(Username) values(Version)  by number
I see these values returned

Sourcetypenumber(From all sourcetypes)Date (from SourcetypeA)Username (from SourcetypeB)Version (from SourcetypeC)
SourcetypeA
SourcetypeB
SourcetypeC		1234512/12/2021
13/12/2021
14/12/2021		Fred1.2

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...