topic Combine 2 or more strings based on a comman field in Splunk Search

Combine 2 or more strings based on a comman field

batham — Mon, 30 Jan 2023 01:20:25 GMT

Hi I am tracking service requests and responses and trying to create a table that contains both requests and response but requests and responses are in different lines ingested in splunk.

I have a common field (trace) which is available in both the strings and unique for a set of request and response pairs,

example

line1: trace: 12345 , Request Received: {1}, URL:http://

line2: trace: 12346 , Request Received: {2}, URL:http://

line3: trace:12345 , Reponse provided: {3}

line4: trace:12346 , Reponse provided :{4}

In line1 and line 3 trace is common field and so is in line 1 and line 4

I want end result like in a table

trace request response

12345 {1} {3}

12346 {2} {4}

Re: Combine 2 or more strings based on a comman field

yuanliu — Mon, 30 Jan 2023 07:08:40 GMT

If those lines are the only text in raw data, you can do

| extract pairdelim="," kvdelim=":" | fields - _raw | stats values(Request_Received) as request values(Response_provided) as response by trace

The result is

trace	response	request
12345	{3}	{1}
12346	{4}	{2}

Re: Combine 2 or more strings based on a comman field

batham — Mon, 30 Jan 2023 20:00:22 GMT

Inner join actually worked for this.