https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117092#M24415 <P>Ok, this is a good start - I ran the transaction on the timestamp, as this is a performance stats collection that is running every 5 minutes on multiple devices.(Session ID's)</P> <P>I now have a single event that is the composite of the 9 event types.</P> <P>Any way to remove the duplicate null values? (dedup on each field name?)</P> Wed, 10 Sep 2014 16:15:56 GMT david_rundle_fi 2014-09-10T16:15:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117090#M24413 <P>I have the following 9 events with the identical timestamps, but differing information:</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, queue_len, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, 0, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, files_skipped, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, 0, null, null, null, null, null, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, buildup_skips, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, 0, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, malware_detected, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, 0, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, scans_canceled, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, 0, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, scans_completed, null, null, null, null, null, null, null, null, null, null, 1461, 6735, 8101, 3869, 20166, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, spf_reads, null, null, null, null, null, 1401, 6342, 8101, 3869, 19713, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, spf_writes, 1401, 6342, 8101, 3869, 19713, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null</P> <P>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, spoolc_drops, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, 0</P> <P>I want to drop the event type (spfreads, spfwrites, etc) and the null values, and combine the events into a single event.</P> <P>How can I do this?</P> Tue, 09 Sep 2014 15:04:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117090#M24413 david_rundle_fi 2014-09-09T15:04:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117091#M24414 <P>You could probably submit some more info, especially on just how you want the combined information to look like. One thing that you might try is the <CODE>transaction</CODE> command.</P> <P>Assuming that the KQ25B6P is some sort of SessionID, perhaps <CODE>... | transaction SessionID max_span=1s |</CODE> might work for you.</P> <P>/k</P> Tue, 09 Sep 2014 20:49:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117091#M24414 kristian_kolb 2014-09-09T20:49:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117092#M24415 <P>Ok, this is a good start - I ran the transaction on the timestamp, as this is a performance stats collection that is running every 5 minutes on multiple devices.(Session ID's)</P> <P>I now have a single event that is the composite of the 9 event types.</P> <P>Any way to remove the duplicate null values? (dedup on each field name?)</P> Wed, 10 Sep 2014 16:15:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117092#M24415 david_rundle_fi 2014-09-10T16:15:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117093#M24416 <P>Well, there is perhaps a far more attractive option;<BR /> Drop the stuff you don't want (the type) by setting it to the same value everywhere, then make use of the <CODE>stats max()</CODE> function. You may first need to replace the string 'null' with a real NULL value, if that is what you have. Or perhaps not. At least in my test you don't</P> <PRE><CODE>your search | eval type = "Combined" | stats max(*) by _time </CODE></PRE> <P>This should look something like;</P> <PRE><CODE>2014-09-09 05:57:58, KQ25B6P, 7.7.1, CommandPost+, 4, 70701, Combined, 1401, 6432, 1234, 3424, 7663, 2342, null, null, 8787, 1461, 6735, 8101, 3869, 20166, null, null, null, null, null, null, null, 0, 0, 0, 0, null, null, null, null, null, null, null, null, null, 5435, 123, 0, 6676, null, null, null, null, null, 0 </CODE></PRE> <P>i.e. if there is a field that does not have a value in either of the events, the combined event will still have 'null'. Otherwise, the highest value will take that place.</P> <P>For presentation purposes you might then want play with <CODE>fields, replace, table, or rename</CODE> etc.</P> <P>Hope this helps,</P> <P>K</P> Thu, 11 Sep 2014 21:32:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-merge-events-with-identical-timestamps-into-one-event-but/m-p/117093#M24416 kristian_kolb 2014-09-11T21:32:52Z