Solved: Consolidating results on to one line

FraserC1 · ‎08-27-2020

Hi,

The search I have returns two events.

One event has the following field:

patches{}.name - This is patches that are to be installed

The other has:

policies{}.packages{}.name - This is patches that failed to install

My search is as follows:

index=main sourcetype=_json id=712803
| rename policies{}.packages{}.name AS "Failed to install", patches{}.name AS "Patches to be installed"
| table name, "Patches to be installed", "Failed to install"

And this returns the following:

name	Patches to be installed	Failed to install
LP-USER-01096		Google Chrome Microsoft OneDrive
LP-USER-01096	Microsoft OneDrive Google Chrome

But what I really want is the following:

name	Patches to be installed	Failed to install
LP-USER-01096	Google Chrome Microsoft OneDrive	Google Chrome Microsoft OneDrive

Is there a way I consolidate these results onto one row so it looks like the above?

ITWhisperer · ‎08-27-2020

| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

View solution in original post

ITWhisperer · ‎08-27-2020

| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

FraserC1 · ‎08-27-2020

Got it in one!

Showing the results exactly as I want them. Thanks for your help.

Consolidating results on to one line

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life