Splunk Search

Consolidating results on to one line

Path Finder

Hi,

The search I have returns two events.

One event has the following field:

patches{}.name - This is patches that are to be installed

The other has:

policies{}.packages{}.name - This is patches that failed to install

My search is as follows:

 

index=main sourcetype=_json id=712803
| rename policies{}.packages{}.name AS "Failed to install", patches{}.name AS "Patches to be installed"
| table name, "Patches to be installed", "Failed to install"

 

And this returns the following:

namePatches to be installedFailed to install
LP-USER-01096 Google Chrome
Microsoft OneDrive
LP-USER-01096Microsoft OneDrive
Google Chrome
 

 

But what I really want is the following:

 

namePatches to be installedFailed to install
LP-USER-01096Google Chrome
Microsoft OneDrive
Google Chrome
Microsoft OneDrive

 

Is there a way I consolidate these results onto one row so it looks like the above?

0 Karma
1 Solution

Builder
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

View solution in original post

Builder
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

View solution in original post

Path Finder

Got it in one!

Showing the results exactly as I want them. Thanks for your help.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!