topic How to group the results of a transaction? in Splunk Search

How to group the results of a transaction?

Phil219 — Wed, 11 May 2016 19:44:00 GMT

Hello, my search basesearch|transaction attribute|table username, attribute
As expected, this returns a table with groups of usernames that share a common value for the field "attribute":

username attribute

user1 attribute1
user2

user3

user1 attribute2
user2

user3

user3 attribute3
user4
user5

user3 attribute4
user4
user5

I am interested in creating a new table that condenses the table by groups of users while showing the attributes they have in common - something like this:

username attribute

user1 attribute1
user2 attribute 2
user3

user3 attribute3
user4 attribute4
user5
Any suggestions?

UPDATE WITH PICTURE TO CLARIFY DESIRED OUTCOME

basesearch|transaction attribute

I believe the "transaction" command groups the users together who share the common attribute. So the first table after the transaction command shows all of the users who share each attribute (singular) . I want to see statistics based on users that share common attributes (plural). Can you see the attachments?

Re: How to group the results of a transaction?

sundareshr — Wed, 11 May 2016 19:53:17 GMT

Try this

basesearch|transaction attribute|table username, attribute | mvexpand username | stats values(attribute ) as attribute by username

Re: How to group the results of a transaction?

Phil219 — Wed, 11 May 2016 23:29:26 GMT

Looks like it might work - let me give it a go

Re: How to group the results of a transaction?

Phil219 — Wed, 11 May 2016 23:54:37 GMT

Unfortunately, this did not do what I am hoping.

I was hoping for a table that kept the groupings of users per row (user1,user2and user3 in one group with all of the values of the attributes associated with that group of users in the next collumn of the same row, with user4,user5,and user6 in the next row with all of the attributes associated with that group of users in the next column of that same row):

username attribute

user1 attribute 1
user2 attribute 2

user3

user4 attribute3
user5 attribute4
user6
This search (I apologize for the format, for some reason I cannot format this as code):

 basesearch|transaction attribute|table username, attribute | mvexpand username | stats values(attribute ) as attribute by username

returned each username individually with all of the attributes associated with that individual

username attribute

user1 attribute 1

_______attribute 2

user2 attribute1

_______attribute2

user3 attribute3

_______attribute4

user4 attribute3

_______attribute4

Any other suggestions?

Re: How to group the results of a transaction?

sundareshr — Thu, 12 May 2016 00:29:09 GMT

How do you decide which user belongs in which group? Is it always 1-2-3, 4-5-6-, 7-8-9 etc?

Re: How to group the results of a transaction?

Phil219 — Thu, 12 May 2016 05:11:38 GMT

First sundareshr, thank you for your persistance in assistance. I appreciate your help. I updated my question with some pictures. I think my attempt at creating a table within this web-browser is more confusing than helpful.

Re: How to group the results of a transaction?

somesoni2 — Thu, 12 May 2016 06:55:32 GMT

Give this a try

basesearch|stats values(username) as username by attribute delim="," | nomv username 
| stats values(attribute) as attribute by username | makemv username delim=","

Re: How to group the results of a transaction?

Phil219 — Thu, 12 May 2016 21:20:47 GMT

Thanks for the response! Let me give this a shot

Re: How to group the results of a transaction?

Phil219 — Thu, 12 May 2016 21:26:17 GMT

Nice!!! This works great!

I'm going to have to read up on "delim", "nomv" and "makemv"