Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to format result by join column results based on another column

nareshkumarg
Path Finder
‎11-14-2019 08:35 AM

Hi everyone,
I am new to Splunk, I have a requirement as given below, I have a result as given below by combining two different input lookup.

Country index    servers
Argentina  win_ar   serverA
Argentina  win_ar   serverB
Argentina  win_ar   serverC
Argentina  win_ar   serverD
Barbodos   win_bb   serverE
Barbodos   win_bb   serverF
Barbodos   win_bb   serverG
Bermuda win_bm  serverH
Bermuda win_bm  serverI
Bermuda win_bm  serverJ
Bermuda win_bm  serverk

I am looking for an option on how to combine this result and make it look like below So that I can use it for dashboard creation. I tired nomv but it did work for one row but I want to do it based on grouping column names country and combine column servers.

Country index    servers
Argentina  win_ar   serverA,serverB,serverC,serverD
Barbodos   win_bb   serverE,serverF,serverG
Bermuda win_bm  serverH,serverI,serverJ,serverK

Regards,
Naresh

0 Karma
Reply

aberkow
Builder
‎11-14-2019 05:05 PM

I'd suggest reading the documentation on the stats command: https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Stats, Splunk puts out some pretty good docs. I believe you want something like this:

whatever you had before...
| stats values(servers) as servers by Country, index
| eval servers=mvjoin(servers, ",")

You might not want the group by Country, index, but you might. This will just create unique rows for Argentina, win_ar vs Argentina, win_bb for example.

Other than stats, eval is the next most important to learn in my opinion. Hope this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...