Solved: Combine 2 or more strings based on a comman field

batham · ‎01-29-2023

Hi I am tracking service requests and responses and trying to create a table that contains both requests and response but requests and responses are in different lines ingested in splunk.

I have a common field (trace) which is available in both the strings and unique for a set of request and response pairs,

example

line1: trace: 12345 , Request Received: {1}, URL:http://

line2: trace: 12346 , Request Received: {2}, URL:http://

line3: trace:12345 , Reponse provided: {3}

line4: trace:12346 , Reponse provided :{4}

In line1 and line 3 trace is common field and so is in line 1 and line 4

I want end result like in a table

trace request response

12345 {1} {3}

12346 {2} {4}

batham · ‎01-30-2023

Inner join actually worked for this.

View solution in original post

batham · ‎01-30-2023

Inner join actually worked for this.

yuanliu · ‎01-29-2023

If those lines are the only text in raw data, you can do

| extract pairdelim="," kvdelim=":"
| fields - _raw
| stats values(Request_Received) as request values(Response_provided) as response by trace

The result is

trace	response	request
12345	{3}	{1}
12346	{4}	{2}

Combine 2 or more strings based on a comman field

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Combine 2 or more strings based on a comman field

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25