Splunk Search

How to group the results of a transaction?

Phil219
Path Finder

Hello, my search basesearch|transaction attribute|table username, attribute
As expected, this returns a table with groups of usernames that share a common value for the field "attribute":

username attribute


user1 attribute1
user2

user3

user1 attribute2
user2

user3

user3 attribute3
user4
user5


user3 attribute4
user4
user5

I am interested in creating a new table that condenses the table by groups of users while showing the attributes they have in common - something like this:

username attribute


user1 attribute1
user2 attribute 2
user3


user3 attribute3
user4 attribute4
user5
Any suggestions?

UPDATE WITH PICTURE TO CLARIFY DESIRED OUTCOME

basesearch|transaction attribute

I believe the "transaction" command groups the users together who share the common attribute. So the first table after the transaction command shows all of the users who share each attribute (singular) . I want to see statistics based on users that share common attributes (plural). Can you see the attachments?

alt textalt text

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

basesearch|stats values(username) as username by attribute delim="," | nomv username 
| stats values(attribute) as attribute by username | makemv username delim=","

View solution in original post

somesoni2
Revered Legend

Give this a try

basesearch|stats values(username) as username by attribute delim="," | nomv username 
| stats values(attribute) as attribute by username | makemv username delim=","

Phil219
Path Finder

Thanks for the response! Let me give this a shot

0 Karma

Phil219
Path Finder

Nice!!! This works great!

I'm going to have to read up on "delim", "nomv" and "makemv"

0 Karma

sundareshr
Legend

Try this

basesearch|transaction attribute|table username, attribute | mvexpand username | stats values(attribute ) as attribute by username
0 Karma

Phil219
Path Finder

Unfortunately, this did not do what I am hoping.

I was hoping for a table that kept the groupings of users per row (user1,user2and user3 in one group with all of the values of the attributes associated with that group of users in the next collumn of the same row, with user4,user5,and user6 in the next row with all of the attributes associated with that group of users in the next column of that same row):

username attribute


user1 attribute 1
user2 attribute 2

user3

user4 attribute3
user5 attribute4
user6
This search (I apologize for the format, for some reason I cannot format this as code):

 basesearch|transaction attribute|table username, attribute | mvexpand username | stats values(attribute ) as attribute by username

returned each username individually with all of the attributes associated with that individual

username attribute


user1 attribute 1

_______attribute 2

user2 attribute1

_______attribute2

user3 attribute3

_______attribute4

user4 attribute3

_______attribute4

Any other suggestions?

0 Karma

sundareshr
Legend

How do you decide which user belongs in which group? Is it always 1-2-3, 4-5-6-, 7-8-9 etc?

0 Karma

Phil219
Path Finder

First sundareshr, thank you for your persistance in assistance. I appreciate your help. I updated my question with some pictures. I think my attempt at creating a table within this web-browser is more confusing than helpful.

0 Karma

Phil219
Path Finder

Looks like it might work - let me give it a go

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...