Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Grouping values
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mkrauss1
Explorer
04-15-2014
02:32 PM
Assume we have the following splunk records:
S=1 T=abcd demoval=hello
T=abcd anotherdemo=anothwerhello
T=abcd lastdemo=lastworld
S=1 is mandatory in the search, this initial record must match.
Question: How would i group the T value/key pair to get S,demoval,anotherdemo
and lastdemo together in the output?
Thanks...
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kaufmanm
Communicator
04-15-2014
02:37 PM
The transaction command can group these events together into one event based on a common field:
- | transaction T | table T S demoval anotherdemo lastdemo
Then you can create a table with rows that have the common T values alongside the S, demoval, anotherdemo, and lastdemo values there were previously part of separate events.
http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mkrauss1
Explorer
04-15-2014
02:44 PM
Thanks.
There is one point missing - the initial S=* condition.
Another sample:
S=1 T=abcd demoval=hello
S=xx T=abcd anotherdemo=anothwerhello
S=YY T=abcd lastdemo=lastworld
The T key value should be grouped while the initial search condition must start with S=1
followed
by any other values (xx or yy)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kaufmanm
Communicator
04-15-2014
02:37 PM
The transaction command can group these events together into one event based on a common field:
- | transaction T | table T S demoval anotherdemo lastdemo
Then you can create a table with rows that have the common T values alongside the S, demoval, anotherdemo, and lastdemo values there were previously part of separate events.
http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Transaction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mkrauss1
Explorer
04-15-2014
02:58 PM
Thanks, the table staement made it.
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
