Solved: Build a parent child relation

bharathkumarnec · ‎08-29-2019

Hi All,

Below is my situation:

parentkey childkey

b c
0 a
a b
b d
b e

Output is to be like this 0-->a-->b-->c,d,e

How can i achieve this in splunk??

TIA

Regards,
BK

Sukisen1981 · ‎08-29-2019

|stats values(childkey) by parentkey |rename values(childkey) as chld | mvexpand chld

View solution in original post

Sukisen1981 · ‎08-29-2019

|stats values(childkey) by parentkey |rename values(childkey) as chld | mvexpand chld

bharathkumarnec · ‎08-29-2019

this is valid only when we have a parent and children, but in my case i have grand children as well...

Sukisen1981 · ‎08-29-2019

hi @bharathkumarnec
in that case ,can you please provide a clearer description of the 'grandchildren' and a more exact requirement?
both @mayurr98 and my answers were based on what you posted in the question.

mayurr98 · ‎08-29-2019

try this ?

| stats values(childkey) as childkey by parentkey

Build a parent child relation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation