Solved: How to merge cells in Splunk

spl10 · ‎05-30-2024

I want to merge the cells in column S.No and share the output to the requestor.

The only ask is Splunk should take all the values seperated in different colours and send three different emails.

Ex S.No.

1

2

3

4

5

6

7

8

9

10

11

12

I should send emails to

S.No

1

4

9

yuanliu · ‎05-31-2024

You need to mind the basics of posing an answerable question: clearly illustrate data input (in text table), illustrate desired output (also in text unless it is a graphic visualization), and explain the logic in clear language. It is really unclear what is the relationship between these field values.

If I have to speculate, Appname, and requestor are always paired, S.No and host are always paired. Is this correct? Based on this, I made up the following mock data:

Appname	S.No	host	logtype	requestor	source
A	1	ghi	somelog	abc@def.com	somelog.jkl
A	1	ghi	somelog	abc@def.com	somelog.klm
A	1	ghi	somelog	abc@def.com	somelog.lmn
B	2	hij	somelog	bcd@efg.com	somelog.klm
B	2	hij	somelog	bcd@efg.com	somelog.jkl
C	3	ijk	somelog	cde@fgh.com	somelog.lmn
C	3	ijk	somelog	cde@fgh.com	somelog.aaa
A	4	xyz	somelog	abc@def.com	somelog.opq
A	4	xyz	somelog	abc@def.com	somelog.opq
A	4	xyz	somelog	abc@def.com	somelog.bbb
B	5	wxy	somelog	bcd@efg.com	somelog.rst
B	5	wxy	somelog	bcd@efg.com	somelog.uvw
C	6	vwx	somelog	cde@fgh.com	somelog.uvw
C	6	vwx	somelog	cde@fgh.com	somelog.rst
C	6	vwx	somelog	cde@fgh.com	somelog.opq
A	7	aaa	somelog	abc@def.com	somelog.klm
A	7	aaa	somelog	abc@def.com	somelog.lmn
A	7	aaa	somelog	abc@def.com	somelog.jkl
B	8	bbb	somelog	bcd@efg.com	somelog.klm
C	9	ccc	somelog	cde@fgh.com	somelog.lmn
C	9	ccc	somelog	cde@fgh.com	somelog.aaa
C	9	ccc	somelog	cde@fgh.com	somelog.bbb
A	10	hij	somelog	abc@def.com	somelog.aaa
B	11	jkl	somelog	bcd@efg.com	somelog.aaa
B	11	jkl	somelog	bcd@efg.com	somelog.bbb
B	11	jkl	somelog	bcd@efg.com	somelog.ccc
C	12	ijk	somelog	cde@fgh.com	somelog.abc
C	12	ijk	somelog	cde@fgh.com	somelog.ccc

As @ITWhisperer says, Splunk is not a spreadsheet. You cannot have cell merge and such. But if you really want to simulate the effect, you can do something like this:

| stats values(source) as source by Appname logtype requestor S.No host
| rename S.No as S_No
| eval source = mvjoin(source, ", ")
| tojson S_No host source
| stats values(_raw) as _raw by Appname requestor logtype
| eval host = mvmap(_raw, spath(_raw, "host"))
| eval S.No = mvmap(_raw, spath(_raw, "S_No"))
| eval source = mvmap(_raw, spath(_raw, "source"))
| table S.No Appname requestor logtype source

Result from the above mock data is

S.No	Appname	requestor	logtype	source
1 10 4 7	A	abc@def.com	somelog	somelog.jkl, somelog.klm, somelog.lmn somelog.aaa somelog.bbb, somelog.opq somelog.jkl, somelog.klm, somelog.lmn
11 2 5 8	B	bcd@efg.com	somelog	somelog.aaa, somelog.bbb, somelog.ccc somelog.jkl, somelog.klm somelog.rst, somelog.uvw somelog.klm
12 3 6 9	C	cde@fgh.com	somelog	somelog.abc, somelog.ccc somelog.aaa, somelog.lmn somelog.opq, somelog.rst, somelog.uvw somelog.aaa, somelog.bbb, somelog.lmn

Is this something you are looking for?

Here is mock data emulation:

| makeresults format=csv data="S.No, requestor, Appname, host, logtype, source
1, abc@def.com, A, ghi, somelog, somelog.jkl
1, abc@def.com, A, ghi, somelog, somelog.klm
1, abc@def.com, A, ghi, somelog, somelog.lmn
2, bcd@efg.com, B, hij, somelog, somelog.klm
2, bcd@efg.com, B, hij, somelog, somelog.jkl
3, cde@fgh.com, C, ijk, somelog, somelog.lmn
3, cde@fgh.com, C, ijk, somelog, somelog.aaa
4, abc@def.com, A, xyz, somelog, somelog.opq
4, abc@def.com, A, xyz, somelog, somelog.opq
4, abc@def.com, A, xyz, somelog, somelog.bbb
5, bcd@efg.com, B, wxy, somelog, somelog.rst
5, bcd@efg.com, B, wxy, somelog, somelog.uvw
6, cde@fgh.com, C, vwx, somelog, somelog.uvw
6, cde@fgh.com, C, vwx, somelog, somelog.rst
6, cde@fgh.com, C, vwx, somelog, somelog.opq
7, abc@def.com, A, aaa, somelog, somelog.klm
7, abc@def.com, A, aaa, somelog, somelog.lmn
7, abc@def.com, A, aaa, somelog, somelog.jkl
8, bcd@efg.com, B, bbb, somelog, somelog.klm
9, cde@fgh.com, C, ccc, somelog, somelog.lmn
9, cde@fgh.com, C, ccc, somelog, somelog.aaa
9, cde@fgh.com, C, ccc, somelog, somelog.bbb
10, abc@def.com, A, hij, somelog, somelog.aaa
11, bcd@efg.com, B, jkl, somelog, somelog.aaa
11, bcd@efg.com, B, jkl, somelog, somelog.bbb
11, bcd@efg.com, B, jkl, somelog, somelog.ccc
12, cde@fgh.com, C, ijk, somelog, somelog.abc
12, cde@fgh.com, C, ijk, somelog, somelog.ccc"
``` data emulation above ```

View solution in original post

yuanliu · ‎05-31-2024

You need to mind the basics of posing an answerable question: clearly illustrate data input (in text table), illustrate desired output (also in text unless it is a graphic visualization), and explain the logic in clear language. It is really unclear what is the relationship between these field values.

If I have to speculate, Appname, and requestor are always paired, S.No and host are always paired. Is this correct? Based on this, I made up the following mock data:

Appname	S.No	host	logtype	requestor	source
A	1	ghi	somelog	abc@def.com	somelog.jkl
A	1	ghi	somelog	abc@def.com	somelog.klm
A	1	ghi	somelog	abc@def.com	somelog.lmn
B	2	hij	somelog	bcd@efg.com	somelog.klm
B	2	hij	somelog	bcd@efg.com	somelog.jkl
C	3	ijk	somelog	cde@fgh.com	somelog.lmn
C	3	ijk	somelog	cde@fgh.com	somelog.aaa
A	4	xyz	somelog	abc@def.com	somelog.opq
A	4	xyz	somelog	abc@def.com	somelog.opq
A	4	xyz	somelog	abc@def.com	somelog.bbb
B	5	wxy	somelog	bcd@efg.com	somelog.rst
B	5	wxy	somelog	bcd@efg.com	somelog.uvw
C	6	vwx	somelog	cde@fgh.com	somelog.uvw
C	6	vwx	somelog	cde@fgh.com	somelog.rst
C	6	vwx	somelog	cde@fgh.com	somelog.opq
A	7	aaa	somelog	abc@def.com	somelog.klm
A	7	aaa	somelog	abc@def.com	somelog.lmn
A	7	aaa	somelog	abc@def.com	somelog.jkl
B	8	bbb	somelog	bcd@efg.com	somelog.klm
C	9	ccc	somelog	cde@fgh.com	somelog.lmn
C	9	ccc	somelog	cde@fgh.com	somelog.aaa
C	9	ccc	somelog	cde@fgh.com	somelog.bbb
A	10	hij	somelog	abc@def.com	somelog.aaa
B	11	jkl	somelog	bcd@efg.com	somelog.aaa
B	11	jkl	somelog	bcd@efg.com	somelog.bbb
B	11	jkl	somelog	bcd@efg.com	somelog.ccc
C	12	ijk	somelog	cde@fgh.com	somelog.abc
C	12	ijk	somelog	cde@fgh.com	somelog.ccc

As @ITWhisperer says, Splunk is not a spreadsheet. You cannot have cell merge and such. But if you really want to simulate the effect, you can do something like this:

| stats values(source) as source by Appname logtype requestor S.No host
| rename S.No as S_No
| eval source = mvjoin(source, ", ")
| tojson S_No host source
| stats values(_raw) as _raw by Appname requestor logtype
| eval host = mvmap(_raw, spath(_raw, "host"))
| eval S.No = mvmap(_raw, spath(_raw, "S_No"))
| eval source = mvmap(_raw, spath(_raw, "source"))
| table S.No Appname requestor logtype source

Result from the above mock data is

S.No	Appname	requestor	logtype	source
1 10 4 7	A	abc@def.com	somelog	somelog.jkl, somelog.klm, somelog.lmn somelog.aaa somelog.bbb, somelog.opq somelog.jkl, somelog.klm, somelog.lmn
11 2 5 8	B	bcd@efg.com	somelog	somelog.aaa, somelog.bbb, somelog.ccc somelog.jkl, somelog.klm somelog.rst, somelog.uvw somelog.klm
12 3 6 9	C	cde@fgh.com	somelog	somelog.abc, somelog.ccc somelog.aaa, somelog.lmn somelog.opq, somelog.rst, somelog.uvw somelog.aaa, somelog.bbb, somelog.lmn

Is this something you are looking for?

Here is mock data emulation:

| makeresults format=csv data="S.No, requestor, Appname, host, logtype, source
1, abc@def.com, A, ghi, somelog, somelog.jkl
1, abc@def.com, A, ghi, somelog, somelog.klm
1, abc@def.com, A, ghi, somelog, somelog.lmn
2, bcd@efg.com, B, hij, somelog, somelog.klm
2, bcd@efg.com, B, hij, somelog, somelog.jkl
3, cde@fgh.com, C, ijk, somelog, somelog.lmn
3, cde@fgh.com, C, ijk, somelog, somelog.aaa
4, abc@def.com, A, xyz, somelog, somelog.opq
4, abc@def.com, A, xyz, somelog, somelog.opq
4, abc@def.com, A, xyz, somelog, somelog.bbb
5, bcd@efg.com, B, wxy, somelog, somelog.rst
5, bcd@efg.com, B, wxy, somelog, somelog.uvw
6, cde@fgh.com, C, vwx, somelog, somelog.uvw
6, cde@fgh.com, C, vwx, somelog, somelog.rst
6, cde@fgh.com, C, vwx, somelog, somelog.opq
7, abc@def.com, A, aaa, somelog, somelog.klm
7, abc@def.com, A, aaa, somelog, somelog.lmn
7, abc@def.com, A, aaa, somelog, somelog.jkl
8, bcd@efg.com, B, bbb, somelog, somelog.klm
9, cde@fgh.com, C, ccc, somelog, somelog.lmn
9, cde@fgh.com, C, ccc, somelog, somelog.aaa
9, cde@fgh.com, C, ccc, somelog, somelog.bbb
10, abc@def.com, A, hij, somelog, somelog.aaa
11, bcd@efg.com, B, jkl, somelog, somelog.aaa
11, bcd@efg.com, B, jkl, somelog, somelog.bbb
11, bcd@efg.com, B, jkl, somelog, somelog.ccc
12, cde@fgh.com, C, ijk, somelog, somelog.abc
12, cde@fgh.com, C, ijk, somelog, somelog.ccc"
``` data emulation above ```

spl10 · ‎05-31-2024

Thank you so for the responses @bowesmana @ITWhisperer and a special thanks to @yuanliu.

I really apologize for posting the requirement in an unclear manner, I was extremely fatigued yet desperately needed to find the solution.

Honestly saying I wasn't confident that I would receive the response so quickly and precise.

I sincerely appreciate the community and individuals like you make this as a wonderful forum for discussion.

To be part of this community is an honor.

ITWhisperer · ‎05-30-2024

Splunk is not a spreadsheet, having said that you can use the stats command to "merge cells"

| stats min('S No') as "S No" list(*) as * by Appname

bowesmana · ‎05-30-2024

Before this stats command also add this

| filldown Appname

so that empty Appname rows will adopt the name from above

How to merge cells in Splunk

table

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

Are you a member of the Splunk Community?

How to merge cells in Splunk

table

Transforming Financial Data into Fraud Intelligence

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!