Solved: Re: How do we chain up events based on parent-chil...

tchen_splunk · ‎10-15-2015

Let's say I have something like this:

time,ParentId,ChildId
12:05:10 PM, ,A1
12:05:11 PM, ,B1
12:05:12 PM,A1 ,A2
12:05:13 PM, ,C1
12:05:14 PM,B1 ,B2
12:05:15 PM,B2 ,B3
12:05:16 PM,A2 ,A3
12:05:17 PM,B3 ,B4
12:05:18 PM,C1 ,C2

As we can see above, we have this parent-child chain going from B1<--B2<--B3<--B4

is there a way to chain up these events without recursion?

tchen_splunk · ‎10-15-2015

Turned out there is indeed a way to do this within Splunk, with the Transaction command:

  | eval ParentId=coalesce(ParentId,ChildId) | eval pc=ParentId.":".ChildId  | makemv delim=":" pc | transaction pc

Thanks to d for providing the solution!

View solution in original post

tchen_splunk · ‎10-15-2015

Turned out there is indeed a way to do this within Splunk, with the Transaction command:

  | eval ParentId=coalesce(ParentId,ChildId) | eval pc=ParentId.":".ChildId  | makemv delim=":" pc | transaction pc

Thanks to d for providing the solution!

How do we chain up events based on parent-child events without recursion?

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)