Splunk Search

Group result by fields combination and generate a table

thunder_wu
Path Finder

I have a search that will return 4 fields from a report database, say f1, f2, f3, f4. I want to group result by combination of f3 and f4, then create a table with following columns

• f1 from earliest event for each group
• f2 from last event for each group
• f3
• f4

How should I complete the query?

Tags (3)
0 Karma
1 Solution

jluo_splunk
Splunk Employee
Splunk Employee

Try..

.. | transaction user_id, claim_number | table user_id, claim_number, id, message

Does this give you a table with what you want (aside from listing just the first and last event id's)?

View solution in original post

jluo_splunk
Splunk Employee
Splunk Employee

Try..

.. | transaction user_id, claim_number | table user_id, claim_number, id, message

Does this give you a table with what you want (aside from listing just the first and last event id's)?

thunder_wu
Path Finder

What I figured out is

| stats

earliest(id) as earliest_id
latest(id) as latest_id
latest(message) as latest_message
by user_id, claim_number

s2_splunk
Splunk Employee
Splunk Employee

Can you provide a couple of sample records and your expected outcome? What do you mean by "group by combination of f3 and f4"?

0 Karma

thunder_wu
Path Finder

assuming following happen in order of time

id message user_id claim_number

1 "finished step 1" 100 1000000001
2 "finished step 2" 100 1000000001

3 "finished step 1" 101 1000000001
4 "finished step 2" 101 1000000001
5 "finished step 3" 101 1000000001

6 "finished step 1" 100 1000000002
7 "finished step 2" 100 1000000002
8 "finished step 3" 100 1000000002

for each group of unique (user_id, claim_number), I need a table of following columns

  • earliest event's id
  • last event's id
  • last event's message
  • user_id
  • claim_number

Thanks!

0 Karma

thunder_wu
Path Finder

In above example, there are three groups
(100, 1000000001) - id = 1,2
(101, 1000000001) - id = 3,4,5
(100, 1000000002) - id = 6,7,8

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...