Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge events and show in tabular format?

vrmandadi
Builder
‎04-04-2022 10:39 AM

Hello Splunkers ,

I am trying to see if I can merge the following events and show in a tabular format

sample event 1:

3/31/22
6:54:29.000 AM
 
GB (ID 5): BSN: 15730946, BON: 699-01, BOAA: 01, GPN: 1395, GSN: 920-000

 

Sample event 2:

3/31/22
6:54:29.000 AM
 
CPU (ID 0): BSN: 55506204BC, BON: 555.06901.0004, BOAA: 01, QPN: 16646, QSN: 001

 

Sample event 3:

3/31/22
6:54:29.000 AM
 
CHASN: 166066

 

I want to merge all events which are coming from same host and same time  and show in a tabular format. if there is no value for a particular field it should show UNKNOWN

 

time                           host     CHASN       GPN                    GSN                                  QPN                                                QSN

3/31/22
6:54:29.000 AM  ABC      166066     1395             920-000                          16646                                           001

 

SAMPLE.PNG

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2022 04:48 PM

The host field is not very discriminating.  Depending on the time window searched, there may be many sets of events from the same host and Splunk will combine them all into a single result.

See if this search gets you started.  It presumes you already have the fields extracted.

 

<<your search for event 1>>
| append [ <<your search for event 2>> ]
| append [ <<your search for event 3>> ]
| stats values(*) as * by host
| table _time host CHASN GPN GSN QPN QSN

If you don't have fields extracted then you'll need to do that.

 

 

<<your search for event 1>>
| rex "GPN:\s*(?<GPN>\d+)"
| rex "GSN:\s*(?<GSN>\d+)"
| append [ 
  <<your search for event 2>>
  | rex "QPN:\s*(?<QPN>\d+)"
  | rex "QSN:\s*(?<QSN>\d+)"
]
| append [ 
  <<your search for event 3>>
  | rex "CHASN:\s*(?<CHASN>\d+)"
]
| stats values(*) as * by host
| table _time host CHASN GPN GSN QPN QSN​
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2022 12:21 PM

How does Splunk know how to combine those events?  They should have at least one field in common, but appear to have no common fields.  Don't try to merge events based on _time unless you can guarantee all three will be generated at the exact same millisecond.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-04-2022 03:21 PM

The three sample events have the same host..I am trying to merge them based on same host 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2022 04:48 PM

The host field is not very discriminating.  Depending on the time window searched, there may be many sets of events from the same host and Splunk will combine them all into a single result.

See if this search gets you started.  It presumes you already have the fields extracted.

 

<<your search for event 1>>
| append [ <<your search for event 2>> ]
| append [ <<your search for event 3>> ]
| stats values(*) as * by host
| table _time host CHASN GPN GSN QPN QSN

If you don't have fields extracted then you'll need to do that.

 

 

<<your search for event 1>>
| rex "GPN:\s*(?<GPN>\d+)"
| rex "GSN:\s*(?<GSN>\d+)"
| append [ 
  <<your search for event 2>>
  | rex "QPN:\s*(?<QPN>\d+)"
  | rex "QSN:\s*(?<QSN>\d+)"
]
| append [ 
  <<your search for event 3>>
  | rex "CHASN:\s*(?<CHASN>\d+)"
]
| stats values(*) as * by host
| table _time host CHASN GPN GSN QPN QSN​
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

vrmandadi
Builder
‎04-06-2022 01:11 PM

Thank you..I did some  tweaking and it helped

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...