https://community.splunk.com/t5/Splunk-Search/How-to-Combine-column-from-multiple-search-results/m-p/657763#M227177 <P>Hello, I have the following search</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=wineventlog EventCode=4728 OR EventCode = 4731 OR EventCode=4729 OR EventCode=4732 OR EventCode=4756 OR EventCode=4756 NOT src_user=*$ | rename src_user as admin, name as action | table admin, Group_Name, user_name</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>This spits out output like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">admin Group_Name user_name adminx GroupA UserA adminx GroupB UserA adminx GroupC UserA adminy GroupD UserB adminy GroupE UserB adminy GroupF UserC adminy GroupF UserD</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I'm trying to combine them into a single message that looks like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">admin Group_Name user_name adminx GroupA,GroupB,GroupC UserA adminy GroupD,GroupE UserB adminy GroupF UserC,UserD</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>What would be the best way to achieve that?</P> Mon, 18 Sep 2023 22:03:36 GMT Niro 2023-09-18T22:03:36Z https://community.splunk.com/t5/Splunk-Search/How-to-Combine-column-from-multiple-search-results/m-p/657763#M227177 <P>Hello, I have the following search</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=wineventlog EventCode=4728 OR EventCode = 4731 OR EventCode=4729 OR EventCode=4732 OR EventCode=4756 OR EventCode=4756 NOT src_user=*$ | rename src_user as admin, name as action | table admin, Group_Name, user_name</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>This spits out output like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">admin Group_Name user_name adminx GroupA UserA adminx GroupB UserA adminx GroupC UserA adminy GroupD UserB adminy GroupE UserB adminy GroupF UserC adminy GroupF UserD</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I'm trying to combine them into a single message that looks like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">admin Group_Name user_name adminx GroupA,GroupB,GroupC UserA adminy GroupD,GroupE UserB adminy GroupF UserC,UserD</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>What would be the best way to achieve that?</P> Mon, 18 Sep 2023 22:03:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Combine-column-from-multiple-search-results/m-p/657763#M227177 Niro 2023-09-18T22:03:36Z https://community.splunk.com/t5/Splunk-Search/How-to-Combine-column-from-multiple-search-results/m-p/657787#M227187 <LI-CODE lang="markup">| stats values(Group_Name) as Group_Name by admin user_name | eval Group_Name=mvjoin(Group_Name, ",") | stats values(user_name) as user_name by admin Group_Name | eval user_name=mvjoin(user_name,",")</LI-CODE> Sat, 16 Sep 2023 05:55:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Combine-column-from-multiple-search-results/m-p/657787#M227187 ITWhisperer 2023-09-16T05:55:09Z https://community.splunk.com/t5/Splunk-Search/How-to-Combine-column-from-multiple-search-results/m-p/657840#M227221 <P>That worked perfectly, thank you!</P> Mon, 18 Sep 2023 03:59:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Combine-column-from-multiple-search-results/m-p/657840#M227221 Niro 2023-09-18T03:59:04Z