Merging data from multiple events into a single fi...

tchmielarski · ‎04-27-2011

I want to merge data from multiple splunk events into a single field value - does anyone know how?
As an example, lets say we have antivirus data events which contain host name and the virus name. I can do a search to return all of the signatures for a specific host. My goal is to merge those signatures.

where the raw records (simplified) might be:
system_1, virus_a
system_1, virus_b
system_1, virus_c
system_2, virus_b

I want my output to be:
dest=system_1, infections="virus_a, virus_b, virus_c"

tchmielarski · ‎04-27-2011

the answer appears to be |transaction (thanks) plus |mvcombine
The delimiter (delim=",") does not show up, and i'm still working on that so the result is more legible but the current result is more or less what I wanted.

example:
.... |transaction dest_host maxspan=7d maxpause=7d | mvcombine delim="," signature

thinman · ‎04-27-2011

Hi,

look for the transaction command basically adding to you search line:
" | transaction dest "

Don´t forget to include the pipe

Look on: Transaction definition

By the way don't forget to tag your fields!

Merging data from multiple events into a single field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation