Splunk ITSI

How to format result by join column results based on another column

nareshkumarg
Path Finder

Hi everyone,
I am new to Splunk, I have a requirement as given below, I have a result as given below by combining two different input lookup.

Country index    servers
Argentina  win_ar   serverA
Argentina  win_ar   serverB
Argentina  win_ar   serverC
Argentina  win_ar   serverD
Barbodos   win_bb   serverE
Barbodos   win_bb   serverF
Barbodos   win_bb   serverG
Bermuda win_bm  serverH
Bermuda win_bm  serverI
Bermuda win_bm  serverJ
Bermuda win_bm  serverk

I am looking for an option on how to combine this result and make it look like below So that I can use it for dashboard creation. I tired nomv but it did work for one row but I want to do it based on grouping column names country and combine column servers.

Country index    servers
Argentina  win_ar   serverA,serverB,serverC,serverD
Barbodos   win_bb   serverE,serverF,serverG
Bermuda win_bm  serverH,serverI,serverJ,serverK

Regards,
Naresh

0 Karma

aberkow
Builder

I'd suggest reading the documentation on the stats command: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Stats, Splunk puts out some pretty good docs. I believe you want something like this:

whatever you had before...
| stats values(servers) as servers by Country, index
| eval servers=mvjoin(servers, ",")

You might not want the group by Country, index, but you might. This will just create unique rows for Argentina, win_ar vs Argentina, win_bb for example.

Other than stats, eval is the next most important to learn in my opinion. Hope this helps!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...