https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490459#M136952 <P>Hi Splunker,</P> <P>In my application when there is action, 3 events will be created for it.</P> <P>Eg : </P> <PRE><CODE> _time field_1 old_value new_value user name 2020-01-19 13:28:55 ABC C51R 6191 355767013 2020-01-19 13:28:55 DEF C51R 355767013 2020-01-19 13:28:55 DEF C53R 355767013 2020-01-19 12:09:58 ABC C54L 6567 355767013 2020-01-19 12:09:58 DEF C54L 355767013 2020-01-19 12:09:57 DEF C54R 355767013 </CODE></PRE> <P>From the above event, u can see 3 different rows created for each action, some time there might be 5 to 10 seconds gap in _time in the events.</P> <P>name is common and unique in the events, i wanted to know the old value, new value and the user chagned with the _time in single row.</P> <P>My expectations.</P> <PRE><CODE> _time old_valu new_value user name 2020-01-19 13:28:55 C53R C51R 6191 355767013 2020-01-19 12:09:58 C54R C54L 6567 355767013 </CODE></PRE> <P>Thanks in advance.</P> <P>Note: i tried | transaction span=1m _time , | bucket span=1m </P> Thu, 23 Jan 2020 06:02:12 GMT SathyaNarayanan 2020-01-23T06:02:12Z https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490459#M136952 <P>Hi Splunker,</P> <P>In my application when there is action, 3 events will be created for it.</P> <P>Eg : </P> <PRE><CODE> _time field_1 old_value new_value user name 2020-01-19 13:28:55 ABC C51R 6191 355767013 2020-01-19 13:28:55 DEF C51R 355767013 2020-01-19 13:28:55 DEF C53R 355767013 2020-01-19 12:09:58 ABC C54L 6567 355767013 2020-01-19 12:09:58 DEF C54L 355767013 2020-01-19 12:09:57 DEF C54R 355767013 </CODE></PRE> <P>From the above event, u can see 3 different rows created for each action, some time there might be 5 to 10 seconds gap in _time in the events.</P> <P>name is common and unique in the events, i wanted to know the old value, new value and the user chagned with the _time in single row.</P> <P>My expectations.</P> <PRE><CODE> _time old_valu new_value user name 2020-01-19 13:28:55 C53R C51R 6191 355767013 2020-01-19 12:09:58 C54R C54L 6567 355767013 </CODE></PRE> <P>Thanks in advance.</P> <P>Note: i tried | transaction span=1m _time , | bucket span=1m </P> Thu, 23 Jan 2020 06:02:12 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490459#M136952 SathyaNarayanan 2020-01-23T06:02:12Z https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490460#M136953 <P>@SathyaNarayanan </P> <P>Can you please try this?</P> <PRE><CODE>YOUR_SEARCH | eval t=_time | bucket _time span=1m | stats latest(t) as t values(old_value) as old_value values(new_value) as new_value values(user) as user by _time, name | eval _time=t | table _time old_value new_value user name </CODE></PRE> <P><STRONG>Sample:</STRONG></P> <PRE><CODE>| makeresults | eval _raw=" time field_1 old_value new_value user name 2020-01-19 13:28:55 ABC C51R 6191 355767013 2020-01-19 13:28:55 DEF C51R 355767013 2020-01-19 13:28:55 DEF C53R 355767013 2020-01-19 12:09:58 ABC C54L 6567 355767013 2020-01-19 12:09:58 DEF C54L 355767013 2020-01-19 12:09:57 DEF C54R 355767013" | multikv forceheader=1 | eval _time=strptime(time,"%Y-%m-%d %H:%M:%S") | table _time field_1 old_value new_value user name | rename comment as "Upto this is for data generation only" | eval t=_time | bucket _time span=1m | stats latest(t) as t values(old_value) as old_value values(new_value) as new_value values(user) as user by _time, name | eval _time=t | table _time old_value new_value user name </CODE></PRE> Thu, 23 Jan 2020 08:03:11 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490460#M136953 kamlesh_vaghela 2020-01-23T08:03:11Z https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490461#M136954 <PRE><CODE>| makeresults | eval _raw="time,field_1,old_value,new_value,user,name 2020-01-19 13:28:55,ABC,,C51R,6191,355767013 2020-01-19 13:28:55,DEF,,C51R,,355767013 2020-01-19 13:28:55,DEF,C53R,,,355767013 2020-01-19 12:09:58,ABC,,C54L,6567,355767013 2020-01-19 12:09:58,DEF,,C54L,,355767013 2020-01-19 12:09:57,DEF,C54R,,,355767013" | multikv forceheader=1 | eval _time=strptime(time,"%Y-%m-%d %H:%M:%S") | table _time field_1 old_value new_value user name `comment("above is your sample. from here, the logic")` | transaction maxspan=10s name | table _time old_value new_value user name </CODE></PRE> <P>Hi, @SathyaNarayanan<BR /> try <CODE>transaction maxspan=</CODE> .</P> Thu, 23 Jan 2020 11:49:39 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490461#M136954 to4kawa 2020-01-23T11:49:39Z https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490462#M136955 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a> </P> <P>As per your query will show only one change, in my scenario there will be several changes.</P> <P>for example.</P> <P>OLD_VALUE NEW_VALUE<BR /> C53R C56<BR /> C51 C53R<BR /> C54 R C51</P> <P>Thanks</P> Wed, 30 Sep 2020 03:49:07 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-combine-nearest-time-values-for-each-field/m-p/490462#M136955 SathyaNarayanan 2020-09-30T03:49:07Z