Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Consolidating results on to one line

FraserC1
Path Finder
‎08-27-2020 03:53 AM

Hi,

The search I have returns two events.

One event has the following field:

patches{}.name - This is patches that are to be installed

The other has:

policies{}.packages{}.name - This is patches that failed to install

My search is as follows:

 

index=main sourcetype=_json id=712803
| rename policies{}.packages{}.name AS "Failed to install", patches{}.name AS "Patches to be installed"
| table name, "Patches to be installed", "Failed to install"

 

And this returns the following:

namePatches to be installedFailed to install
LP-USER-01096 Google Chrome
Microsoft OneDrive
LP-USER-01096Microsoft OneDrive
Google Chrome		 

 

But what I really want is the following:

 

namePatches to be installedFailed to install
LP-USER-01096Google Chrome
Microsoft OneDrive		Google Chrome
Microsoft OneDrive

 

Is there a way I consolidate these results onto one row so it looks like the above?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-27-2020 03:59 AM 
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-27-2020 03:59 AM 
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name
Reply
Solved! Jump to solution

FraserC1
Path Finder
‎08-27-2020 04:02 AM

Got it in one!

Showing the results exactly as I want them. Thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...