Splunk Search

Group records by two fields

varun99
Path Finder

Hi,

I have the data like below:

TransactionID1 TransactionID2
aaaaaaaaaaaa aaaaaaaaaaaa
aaaaaaaaaaaa bbbbbbbbbbb
bbbbbbbbbbb
ccccccccccccc ccccccccccccc
ccccccccccccc ccccccccccccc
ccccccccccccc

I need to group some records based on the above two fields in a way that the first three records come together and last three come together based on the fact that any of the TransactionID1 or TransactionID2 are same. It is a bit easy to group the last three. However, I am finding it difficult to group the 1st three. Kindly help.

0 Karma

DalJeanis
Legend

We need to see a little bit more of the actual search or the actual data to understand what you are having problems with.

0 Karma

hortonew
Builder

Also, what would your desired output look like? I imagine you're trying to group events together if either trans1 or trans2 match the previous one, but break into a new group should neither match.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...