Solved: Grouping values

mkrauss1 · ‎04-15-2014

Assume we have the following splunk records:

S=1 T=abcd demoval=hello

T=abcd anotherdemo=anothwerhello

T=abcd lastdemo=lastworld

S=1 is mandatory in the search, this initial record must match.

Question: How would i group the T value/key pair to get S,demoval,anotherdemo
and lastdemo together in the output?

Thanks...

kaufmanm · ‎04-15-2014

The transaction command can group these events together into one event based on a common field:

| transaction T | table T S demoval anotherdemo lastdemo

Then you can create a table with rows that have the common T values alongside the S, demoval, anotherdemo, and lastdemo values there were previously part of separate events.

http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Transaction

View solution in original post

mkrauss1 · ‎04-15-2014

Thanks.
There is one point missing - the initial S=* condition.

Another sample:

S=1 T=abcd demoval=hello

S=xx T=abcd anotherdemo=anothwerhello

S=YY T=abcd lastdemo=lastworld

The T key value should be grouped while the initial search condition must start with S=1

followed
by any other values (xx or yy)

kaufmanm · ‎04-15-2014

The transaction command can group these events together into one event based on a common field:

| transaction T | table T S demoval anotherdemo lastdemo

Then you can create a table with rows that have the common T values alongside the S, demoval, anotherdemo, and lastdemo values there were previously part of separate events.

http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Transaction

mkrauss1 · ‎04-15-2014

Thanks, the table staement made it.

Grouping values

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms