topic How to merge using time range and some duplicated field values? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-merge-using-time-range-and-some-duplicated-field-values/m-p/653409#M225802 <P>Hello,</P> <P>I have a table with the following fields from an email security system that are duplicated within a time range of 3s:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="21.806451612903224%"><STRONG>_time&nbsp; &nbsp;</STRONG></TD> <TD width="18.193548387096776%"><STRONG>sender&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>receiver&nbsp; &nbsp; </STRONG></TD> <TD width="20%"><STRONG>subject&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>attach</STRONG></TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 14:07:46</SPAN></TD> <TD width="18.193548387096776%">sender1@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver1@domain.com</A><BR />receiver2@domain.com</TD> <TD width="20%">"email subject"</TD> <TD width="20%"> <P>attach1.pdf</P> <P>attach2.pdf</P> </TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 14:07:49</SPAN></TD> <TD width="18.193548387096776%">sender1@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver1@domain.com</A><BR />receiver2@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 15:10:05</SPAN></TD> <TD width="18.193548387096776%">sender2@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver3@domain.com</A><BR />receiver4@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 15:10:08</SPAN></TD> <TD width="18.193548387096776%">sender2@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver3@domain.com</A><BR />receiver4@domain.com</TD> <TD width="20%">"email2 subject"</TD> <TD width="20%"> <P>attach3.rar</P> <P>attach4.rar</P> </TD> </TR> </TBODY> </TABLE> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="20%"><SPAN>2023-08-07 16:11:08</SPAN></TD> <TD width="20%">sender3@domain.com</TD> <TD width="20%">receiver5@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>I want to merge the duplicated fields together within the range of 3s without losing the subject and attach value, but I don't want to remove other blank values of the emails that are sent without a subject or attach. It should look like this:</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="21.806451612903224%"><STRONG>_time&nbsp; &nbsp;</STRONG></TD> <TD width="18.193548387096776%"><STRONG>sender&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>receiver&nbsp; &nbsp; </STRONG></TD> <TD width="20%"><STRONG>subject&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>attach</STRONG></TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 14:07:46</SPAN></TD> <TD width="18.193548387096776%">sender1@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver1@domain.com</A><BR />receiver2@domain.com</TD> <TD width="20%">"email subject"</TD> <TD width="20%"> <P>attach1.pdf</P> <P>attach2.pdf</P> </TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 15:10:08</SPAN></TD> <TD width="18.193548387096776%">sender2@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver3@domain.com</A><BR />receiver4@domain.com</TD> <TD width="20%">"email2 subject"</TD> <TD width="20%"> <P>attach3.rar</P> <P>attach4.rar</P> </TD> </TR> </TBODY> </TABLE> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="20%"><SPAN>2023-08-07 16:11:08</SPAN></TD> <TD width="20%">sender3@domain.com</TD> <TD width="20%">receiver5@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>Thank you.</P> Mon, 07 Aug 2023 19:26:43 GMT evallja 2023-08-07T19:26:43Z How to merge using time range and some duplicated field values? https://community.splunk.com/t5/Splunk-Search/How-to-merge-using-time-range-and-some-duplicated-field-values/m-p/653409#M225802 <P>Hello,</P> <P>I have a table with the following fields from an email security system that are duplicated within a time range of 3s:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="21.806451612903224%"><STRONG>_time&nbsp; &nbsp;</STRONG></TD> <TD width="18.193548387096776%"><STRONG>sender&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>receiver&nbsp; &nbsp; </STRONG></TD> <TD width="20%"><STRONG>subject&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>attach</STRONG></TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 14:07:46</SPAN></TD> <TD width="18.193548387096776%">sender1@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver1@domain.com</A><BR />receiver2@domain.com</TD> <TD width="20%">"email subject"</TD> <TD width="20%"> <P>attach1.pdf</P> <P>attach2.pdf</P> </TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 14:07:49</SPAN></TD> <TD width="18.193548387096776%">sender1@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver1@domain.com</A><BR />receiver2@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 15:10:05</SPAN></TD> <TD width="18.193548387096776%">sender2@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver3@domain.com</A><BR />receiver4@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 15:10:08</SPAN></TD> <TD width="18.193548387096776%">sender2@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver3@domain.com</A><BR />receiver4@domain.com</TD> <TD width="20%">"email2 subject"</TD> <TD width="20%"> <P>attach3.rar</P> <P>attach4.rar</P> </TD> </TR> </TBODY> </TABLE> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="20%"><SPAN>2023-08-07 16:11:08</SPAN></TD> <TD width="20%">sender3@domain.com</TD> <TD width="20%">receiver5@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>I want to merge the duplicated fields together within the range of 3s without losing the subject and attach value, but I don't want to remove other blank values of the emails that are sent without a subject or attach. It should look like this:</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="21.806451612903224%"><STRONG>_time&nbsp; &nbsp;</STRONG></TD> <TD width="18.193548387096776%"><STRONG>sender&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>receiver&nbsp; &nbsp; </STRONG></TD> <TD width="20%"><STRONG>subject&nbsp; &nbsp;</STRONG></TD> <TD width="20%"><STRONG>attach</STRONG></TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 14:07:46</SPAN></TD> <TD width="18.193548387096776%">sender1@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver1@domain.com</A><BR />receiver2@domain.com</TD> <TD width="20%">"email subject"</TD> <TD width="20%"> <P>attach1.pdf</P> <P>attach2.pdf</P> </TD> </TR> <TR> <TD width="21.806451612903224%"><SPAN>2023-08-07 15:10:08</SPAN></TD> <TD width="18.193548387096776%">sender2@domain.com</TD> <TD width="20%"><A href="mailto:receiver1@domain.com" target="_blank" rel="noopener">receiver3@domain.com</A><BR />receiver4@domain.com</TD> <TD width="20%">"email2 subject"</TD> <TD width="20%"> <P>attach3.rar</P> <P>attach4.rar</P> </TD> </TR> </TBODY> </TABLE> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="20%"><SPAN>2023-08-07 16:11:08</SPAN></TD> <TD width="20%">sender3@domain.com</TD> <TD width="20%">receiver5@domain.com</TD> <TD width="20%">&nbsp;</TD> <TD width="20%">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>Thank you.</P> Mon, 07 Aug 2023 19:26:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-using-time-range-and-some-duplicated-field-values/m-p/653409#M225802 evallja 2023-08-07T19:26:43Z Re: merge using time range and some duplicated field values https://community.splunk.com/t5/Splunk-Search/How-to-merge-using-time-range-and-some-duplicated-field-values/m-p/653416#M225806 <LI-CODE lang="markup">| streamstats window=2 range(_time) as gap global=f by sender receiver | eval _time=if(gap &lt;= 3, _time-gap, _time) | stats values(subject) as subject values(attach) as attach values(receiver) as receiver by _time sender</LI-CODE><P>This assumes the events are in chronological order and will use the time from the earlier of the pair of events</P> Mon, 07 Aug 2023 13:58:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-using-time-range-and-some-duplicated-field-values/m-p/653416#M225806 ITWhisperer 2023-08-07T13:58:53Z