Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent values from appearing twice in a single cell of a table

andres91302
Communicator
‎04-20-2021 04:06 PM

Hello Everyone I hope you are safe and sound,

I'm extracting values from events that come in a Json format and after that I want to create a Table were I can see each ID and the product thy bought from the store but I am always getting within a single cell the same value repeated two times and when I try to do a stats count then... it is also count twice...

This is my code:

index=purchase_store_x1
| rex mode=sed "s/^(?i)(?:(?!{).)+//g"
| spath
| search BodyJson.name="pdone.ok"
| rename BodyJson.product.ID as PRODUCT
| rename BodyJson.ID.CX.Unique as ID
| table ID PRODUCT
| sort -ID

and so instead of getting the ID asociaed with the product purchased I get something like this:

IDPRODUCT
31254
31254		XUI45
XUI45
54581
54581		XUI8
XUI45
47851
47851		XUIE58
XUI45


How can I just a normal table without having the same value repeated twice in the cell? THANK YOU SO MUCH for your help,

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-20-2021 05:49 PM

@andres91302 

It looks like ID is always duplicated, but product can be different, so if that's the case

..your_search..
| eval ID=mvdedup(ID), PRODUCT=mvdedup(PRODUCT)
| table ID PRODUCT
| sort -ID

or

..your_search..
| eval ID=mvdedup(ID)
| stats values(PRODUCT) by ID
| sort -ID

use whichever suits your data better

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-20-2021 05:49 PM

@andres91302 

It looks like ID is always duplicated, but product can be different, so if that's the case

..your_search..
| eval ID=mvdedup(ID), PRODUCT=mvdedup(PRODUCT)
| table ID PRODUCT
| sort -ID

or

..your_search..
| eval ID=mvdedup(ID)
| stats values(PRODUCT) by ID
| sort -ID

use whichever suits your data better

 

Reply
Solved! Jump to solution

andres91302
Communicator
‎04-20-2021 07:45 PM

Thank you so much! 10/10

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-20-2021 05:29 PM

Try mvexpand.

index=purchase_store_x1
| rex mode=sed "s/^(?i)(?:(?!{).)+//g"
| spath
| search BodyJson.name="pdone.ok"
| rename BodyJson.product.ID as PRODUCT
| rename BodyJson.ID.CX.Unique as ID
| mvexpand PRODUCT
| table ID PRODUCT
| sort -ID

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

andres91302
Communicator
‎04-20-2021 07:44 PM

Thank you so much for your help this was excellent

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...