Splunk Search

Group result by fields combination and generate a table

thunder_wu
Path Finder

I have a search that will return 4 fields from a report database, say f1, f2, f3, f4. I want to group result by combination of f3 and f4, then create a table with following columns

• f1 from earliest event for each group
• f2 from last event for each group
• f3
• f4

How should I complete the query?

Tags (3)
0 Karma
1 Solution

jluo_splunk
Splunk Employee
Splunk Employee

Try..

.. | transaction user_id, claim_number | table user_id, claim_number, id, message

Does this give you a table with what you want (aside from listing just the first and last event id's)?

View solution in original post

jluo_splunk
Splunk Employee
Splunk Employee

Try..

.. | transaction user_id, claim_number | table user_id, claim_number, id, message

Does this give you a table with what you want (aside from listing just the first and last event id's)?

thunder_wu
Path Finder

What I figured out is

| stats

earliest(id) as earliest_id
latest(id) as latest_id
latest(message) as latest_message
by user_id, claim_number

s2_splunk
Splunk Employee
Splunk Employee

Can you provide a couple of sample records and your expected outcome? What do you mean by "group by combination of f3 and f4"?

0 Karma

thunder_wu
Path Finder

assuming following happen in order of time

id message user_id claim_number

1 "finished step 1" 100 1000000001
2 "finished step 2" 100 1000000001

3 "finished step 1" 101 1000000001
4 "finished step 2" 101 1000000001
5 "finished step 3" 101 1000000001

6 "finished step 1" 100 1000000002
7 "finished step 2" 100 1000000002
8 "finished step 3" 100 1000000002

for each group of unique (user_id, claim_number), I need a table of following columns

  • earliest event's id
  • last event's id
  • last event's message
  • user_id
  • claim_number

Thanks!

0 Karma

thunder_wu
Path Finder

In above example, there are three groups
(100, 1000000001) - id = 1,2
(101, 1000000001) - id = 3,4,5
(100, 1000000002) - id = 6,7,8

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...