https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470270#M192122 <P>Sorry for the inproper information.</P> <P>Basically the RelatedCorrelationId is my required Output.</P> <P>Where i need to get all the interlinked records of Id and corelationalId. Basically parent child relationship. i need to get all that records in one place.</P> <P>Hope it explains.</P> <P>Regards,<BR /> Santosh</P> Wed, 03 Jun 2020 04:41:13 GMT santosh11 2020-06-03T04:41:13Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470268#M192120 <P>Dear All,</P> <P>I have two columns Id and relationalId below is the sample of it.</P> <P>Id CorrelationalId<BR /> 1 2<BR /><BR /> 2 3<BR /><BR /> 3 4 </P> <P>i am looking to get as an output</P> <P>RelatedCorrelationalId<BR /><BR /> 1 2 3 4 </P> <P>Please can someone guide me on the above issue.</P> <P>Regards,<BR /> Santosh</P> Wed, 03 Jun 2020 04:26:17 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470268#M192120 santosh11 2020-06-03T04:26:17Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470269#M192121 <P>Can you explain How RelatedCorelationalId field is getting populated?</P> Wed, 03 Jun 2020 04:28:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470269#M192121 493669 2020-06-03T04:28:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470270#M192122 <P>Sorry for the inproper information.</P> <P>Basically the RelatedCorrelationId is my required Output.</P> <P>Where i need to get all the interlinked records of Id and corelationalId. Basically parent child relationship. i need to get all that records in one place.</P> <P>Hope it explains.</P> <P>Regards,<BR /> Santosh</P> Wed, 03 Jun 2020 04:41:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470270#M192122 santosh11 2020-06-03T04:41:13Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470271#M192123 <P>@santosh11 Try below query-</P> <PRE><CODE>| eval RelatedCorrelationalId = mvappend(Id, CorrelationalId)| stats count by RelatedCorrelationalId | table RelatedCorrelationalId </CODE></PRE> <P>Below is using sample data-</P> <PRE><CODE>|makeresults|eval Id="1", CorrelationalId="2" |append[|makeresults|eval Id="2", CorrelationalId="3"] |append[|makeresults|eval Id="3", CorrelationalId="4"] |fields - _time| eval RelatedCorrelationalId = mvappend(Id, CorrelationalId)| stats count by RelatedCorrelationalId | table RelatedCorrelationalId </CODE></PRE> <P>Let me know if it helps!</P> Wed, 03 Jun 2020 04:48:56 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470271#M192123 493669 2020-06-03T04:48:56Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470272#M192124 <P>I am trying that now will update you on the status. Thank you for the response.</P> Wed, 03 Jun 2020 04:57:31 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-issue/m-p/470272#M192124 santosh11 2020-06-03T04:57:31Z