Group results based upon matching values from mult...

jtsplunk · ‎04-11-2012

I'm indexing a CSV that appears like the following in its raw form:

Filenum,string
1,abc
2,defg
2,abc
3,xyz
3,abc
1,xyz
7,uiop
7,abc
4,defg
5,qazwsx
6,qazwsx
1,uiop
4,abc

etc..

In Splunk both "Filenum" and "String" are correctly being extracted as field names.

I'd like to spit out a table that automatically groups Filenums with two or more matching Strings.

For example, Filenum 1 & 3 can be grouped together since they both have Strings abc & xyz.

Sample desired output:

Filenum     1, 3     abc, xyz
Filenum     1, 7     abc, uiop
Filenum     2, 4     abc, defg

Any ideas?

Thanks!

yannK · ‎04-30-2012

partial answer :
Considering that the fields are already extracted, you can do group the Filenum per string.
mysearch | stats values(Filenum) by string

Now you have to figure how to group the filenums together, maybe a sub search.

VipulGarg19 · ‎04-30-2012

Why not use custom search using python scripts?

Group results based upon matching values from multiple fields?

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

Group results based upon matching values from multiple fields?

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025