Re: Group records by two fields

varun99 · ‎03-06-2018

Hi,

I have the data like below:

TransactionID1 TransactionID2
aaaaaaaaaaaa aaaaaaaaaaaa
aaaaaaaaaaaa bbbbbbbbbbb
bbbbbbbbbbb
ccccccccccccc ccccccccccccc
ccccccccccccc ccccccccccccc
ccccccccccccc

I need to group some records based on the above two fields in a way that the first three records come together and last three come together based on the fact that any of the TransactionID1 or TransactionID2 are same. It is a bit easy to group the last three. However, I am finding it difficult to group the 1st three. Kindly help.

DalJeanis · ‎03-07-2018

We need to see a little bit more of the actual search or the actual data to understand what you are having problems with.

hortonew · ‎03-10-2018

Also, what would your desired output look like? I imagine you're trying to group events together if either trans1 or trans2 match the previous one, but break into a new group should neither match.

Group records by two fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation