Splunk Search

Consolidating results on to one line

FraserC1
Path Finder

Hi,

The search I have returns two events.

One event has the following field:

patches{}.name - This is patches that are to be installed

The other has:

policies{}.packages{}.name - This is patches that failed to install

My search is as follows:

 

index=main sourcetype=_json id=712803
| rename policies{}.packages{}.name AS "Failed to install", patches{}.name AS "Patches to be installed"
| table name, "Patches to be installed", "Failed to install"

 

And this returns the following:

namePatches to be installedFailed to install
LP-USER-01096 Google Chrome
Microsoft OneDrive
LP-USER-01096Microsoft OneDrive
Google Chrome
 

 

But what I really want is the following:

 

namePatches to be installedFailed to install
LP-USER-01096Google Chrome
Microsoft OneDrive
Google Chrome
Microsoft OneDrive

 

Is there a way I consolidate these results onto one row so it looks like the above?

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(policies{}.packages{}.name) as "Failed to install", values(patches{}.name) as "Patches to be installed" by name

FraserC1
Path Finder

Got it in one!

Showing the results exactly as I want them. Thanks for your help.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...