Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to merge my data?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kbarker302
Communicator
02-07-2017
09:21 AM
My raw data looks like this:
Timestamp Field1 Field2 Field3
2017-01-01 AAA Key1 Key1val
2017-01-01 AAA Key2 Key2val
2017-01-01 AAA Key3 Key3val
For my purposes, Timestamp and Field1 uniquely identify a set of events that I would like to merge together.
I would like the formatted results to look like this:
Timestamp Field1 Key1 Key2 Key3
2017-01-01 AAA Key1val Key2val Key3val
Note that in the raw data, Field2 contains the values I would like to appear as column headers, with corresponding row values from Field3.
I have tried various things using eval, stats, eventstats, and appendcols, but have not been able to achieve the desired effect. Is anything like this possible using SPL?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vasanthmss
Motivator
02-07-2017
10:37 AM
Hello,
try the below search,
.... your base search |eval temp=Timestamp+"###"+Field1 |xyseries temp Field2, Field3 | rex field=temp "(?<Timestamp>.*)###(?<Field1>.*)" | fields - temp | table Timestamp, Field1, *
Sample,
raw data creation,
|stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key1" | eval Field3="Key1val" |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key2" | eval Field3="Key2val" ] |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key3" | eval Field3="Key3val" ] | table Timestamp, Field1, Field2, Field3
Sample data with logic,
|stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key1" | eval Field3="Key1val" |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key2" | eval Field3="Key2val" ] |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key3" | eval Field3="Key3val" ] | table Timestamp, Field1, Field2, Field3 |eval temp=Timestamp+"###"+Field1 |xyseries temp Field2, Field3 | rex field=temp "(?<Timestamp>.*)###(?<Field1>.*)" | fields - temp | table Timestamp, Field1, *
Hope this will helps you,
V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vasanthmss
Motivator
02-07-2017
10:37 AM
Hello,
try the below search,
.... your base search |eval temp=Timestamp+"###"+Field1 |xyseries temp Field2, Field3 | rex field=temp "(?<Timestamp>.*)###(?<Field1>.*)" | fields - temp | table Timestamp, Field1, *
Sample,
raw data creation,
|stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key1" | eval Field3="Key1val" |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key2" | eval Field3="Key2val" ] |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key3" | eval Field3="Key3val" ] | table Timestamp, Field1, Field2, Field3
Sample data with logic,
|stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key1" | eval Field3="Key1val" |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key2" | eval Field3="Key2val" ] |append[ |stats c | eval Timestamp="2017-01-01" | eval Field1="AAA" | eval Field2 ="Key3" | eval Field3="Key3val" ] | table Timestamp, Field1, Field2, Field3 |eval temp=Timestamp+"###"+Field1 |xyseries temp Field2, Field3 | rex field=temp "(?<Timestamp>.*)###(?<Field1>.*)" | fields - temp | table Timestamp, Field1, *
Hope this will helps you,
V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kbarker302
Communicator
02-07-2017
11:01 AM
Outstanding - that does exactly what I wanted. Thank you very much! That really is some advanced stuff. Also, I hadn't seen an asterisk used in the table command before.
Get Updates on the Splunk Community!
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
