https://community.splunk.com/t5/Splunk-Search/Splicing-events-with-the-same-time-stamp-together/m-p/116710#M31001 <P>Either setup a transaction based on <CODE>_time</CODE>:</P> <PRE><CODE>index=counts | eval count_a=case(category=1 AND type='A', count1, category=2 AND type='A', count2) | eval count_b=case(category=1 AND type='B', count3, category=2 AND type='B', count4) | transaction _time | table _time, count_a, count_b </CODE></PRE> <P>Or for better performance, use <CODE>stats</CODE>.</P> <PRE><CODE>index=counts | stats count(eval(category=1 AND type='A')) as count1, count(eval(category=2 AND type='A')) as count2 by _time </CODE></PRE> Sun, 27 Oct 2013 07:58:47 GMT Ayn 2013-10-27T07:58:47Z https://community.splunk.com/t5/Splunk-Search/Splicing-events-with-the-same-time-stamp-together/m-p/116709#M31000 <P>Hi,</P> <P>I have a weird data structure I'm trying to figure out a better way to handle. The data I'm getting uses category and type fields to tell me what the counts mean. Right now its set up to work something like this, where I do a fair amount of logic to get the counts I want. (but there are actually a lot more categories, types, and logic):</P> <P>index=counts <BR /> | eval count_a=case(category=1 AND type='A', count1, category=2 AND type='A', count2) <BR /> | eval count_b=case(category=1 AND type='B', count3, category=2 AND type='B', count4)<BR /> | table _time, count_a, count_b</P> <P>This gives me results like</P> <PRE><CODE> _time, count_a, count_b </CODE></PRE> <P>1 10/26/13 8:15:00.201 PM, [BLANK], 50</P> <P>2 10/26/13 8:15:00.201 PM, 65, [BLANK]</P> <P>3 10/26/13 8:00:00.201 PM, [BLANK] , 43</P> <P>4 10/26/13 8:00:00.201 PM, 78, BLANK]....</P> <P>The [BLANK]s are literally blank, because not every line if the file has data for each type of count I'm interested in. After all the logic I have count fields for all the counts and every time step has a value for each count, but they are split over multiple lines. Is there a way to combine them so that I can get table with out blanks in it? Like</P> <PRE><CODE> _time, count_a, count_b </CODE></PRE> <P>1 10/26/13 8:15:00.201 PM, 65, 50</P> <P>2 10/26/13 8:00:00.201 PM, 78 , 43....</P> <P>Thanks,<BR /> Tristan</P> Mon, 28 Sep 2020 15:05:41 GMT https://community.splunk.com/t5/Splunk-Search/Splicing-events-with-the-same-time-stamp-together/m-p/116709#M31000 tristanmatthews 2020-09-28T15:05:41Z https://community.splunk.com/t5/Splunk-Search/Splicing-events-with-the-same-time-stamp-together/m-p/116710#M31001 <P>Either setup a transaction based on <CODE>_time</CODE>:</P> <PRE><CODE>index=counts | eval count_a=case(category=1 AND type='A', count1, category=2 AND type='A', count2) | eval count_b=case(category=1 AND type='B', count3, category=2 AND type='B', count4) | transaction _time | table _time, count_a, count_b </CODE></PRE> <P>Or for better performance, use <CODE>stats</CODE>.</P> <PRE><CODE>index=counts | stats count(eval(category=1 AND type='A')) as count1, count(eval(category=2 AND type='A')) as count2 by _time </CODE></PRE> Sun, 27 Oct 2013 07:58:47 GMT https://community.splunk.com/t5/Splunk-Search/Splicing-events-with-the-same-time-stamp-together/m-p/116710#M31001 Ayn 2013-10-27T07:58:47Z https://community.splunk.com/t5/Splunk-Search/Splicing-events-with-the-same-time-stamp-together/m-p/116711#M31002 <P>ok I fell silly, transaction was the first thing I tried, but clearly I miss read it.</P> Sun, 27 Oct 2013 19:29:23 GMT https://community.splunk.com/t5/Splunk-Search/Splicing-events-with-the-same-time-stamp-together/m-p/116711#M31002 tristanmatthews 2013-10-27T19:29:23Z