Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Merging data from multiple events into a single field

tchmielarski
Explorer
‎04-27-2011 11:45 AM

I want to merge data from multiple splunk events into a single field value - does anyone know how?
As an example, lets say we have antivirus data events which contain host name and the virus name. I can do a search to return all of the signatures for a specific host. My goal is to merge those signatures.

where the raw records (simplified) might be:
system_1, virus_a
system_1, virus_b
system_1, virus_c
system_2, virus_b

I want my output to be:
dest=system_1, infections="virus_a, virus_b, virus_c"

Tags (1)
0 Karma
Reply

tchmielarski
Explorer
‎04-27-2011 01:40 PM

the answer appears to be |transaction (thanks) plus |mvcombine
The delimiter (delim=",") does not show up, and i'm still working on that so the result is more legible but the current result is more or less what I wanted.

example:
.... |transaction dest_host maxspan=7d maxpause=7d | mvcombine delim="," signature

0 Karma
Reply

thinman
Explorer
‎04-27-2011 11:53 AM

Hi,

look for the transaction command basically adding to you search line:
" | transaction dest "

Don´t forget to include the pipe

Look on: Transaction definition

By the way don't forget to tag your fields!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...