How to group by a field and display multiple field...

andytangjpmc · ‎09-24-2019

I have trace, level, and message fields in my events. I want to group by trace, and I also want to display all other fields. I'm having issues with multiple fields lining up when they have different amount of lines.

Here's what I want:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        |       | Line2    |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        | DEBUG | Message3 |
+--------+-------+----------+

But I end up with results like this:

+--------+-------+----------+
| trace1 | INFO  | Message1 |
|        +-------+ Line2    |
|        | DEBUG |          |
|        +-------+----------+
|        | DEBUG | Message2 |
|        +-------+----------+
|        |       | Message3 |
+--------+-------+----------+

Here's my search query:

| stats list(level), list(message) by trace

somesoni2 · ‎09-24-2019

Multiple level grouping (similar to merging columns in Excel) is not supported natively. For your requirement, try something like this:

..| stats list(message) by trace level

OR

...| eval Level_message=level."  ##  ".message | stats list(Level_message) by trace

How to group by a field and display multiple fields

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to group by a field and display multiple fields

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits