Splunk Search

Consolidating results on to one line

Path Finder

Hi,

The search I have returns two events.

One event has the following field:

patches{}.name - This is patches that are to be installed

The other has:

policies{}.packages{}.name - This is patches that failed to install

My search is as follows:

 

index=main sourcetype=_json id=712803
| rename policies{}.packages{}.name AS "Failed to install", patches{}.name AS "Patches to be installed"
| table name, "Patches to be installed", "Failed to install"

 

And this returns the following:

namePatches to be installedFailed to install
LP-USER-01096 Google Chrome
Microsoft OneDrive
LP-USER-01096Microsoft OneDrive
Google Chrome
 

 

But what I really want is the following:

 

namePatches to be installedFailed to install
LP-USER-01096Google Chrome
Microsoft OneDrive
Google Chrome
Microsoft OneDrive

 

Is there a way I consolidate these results onto one row so it looks like the above?

0 Karma
1 Solution

Builder
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

View solution in original post

Builder
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

View solution in original post

Path Finder

Got it in one!

Showing the results exactly as I want them. Thanks for your help.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!