Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to merge the content of a group
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junlozhang
Explorer
05-07-2021
03:20 AM
Let's say the data looks like:
| StudentName | StudentId | Grade | ExamDate |
| Tom | 1 | 60 | 2021-04-01 |
| Jerry | 2 | 70 | 2021-04-01 |
| Tom | 1 | 62 | 2021-04-07 |
| Jerry | 2 | 55 | 2021-04-07 |
And the the result I want looks like:
| Formatted |
| Tom,1:2021-04-01,60;2021-04-07,62 |
| Jerry,2;2021-04-01,70;2021-04-07,55 |
I want to divide the origin data into groups by key "StudentId", and then merge the contents in each group to make a formatted string
Of course, I can get all the data and write a program in Python or Java to process it.... But it would be better if I can do this only with SPL
I have written a script to group by "StudentId":
transaction StudentId
| stats list(_raw) as rawList by StudentId
But don't know what to do next
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
05-07-2021
04:08 AM
Can you please try this? Just modify search as per your requirement.
YOUR_SEARCH
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted
Sample Search:
| makeresults
| eval _raw="StudentName StudentId Grade ExamDate
Tom 1 60 2021-04-01
Jerry 2 70 2021-04-01
Tom 1 62 2021-04-07
Jerry 2 55 2021-04-07
"
| multikv forceheader=1
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
05-07-2021
04:08 AM
Can you please try this? Just modify search as per your requirement.
YOUR_SEARCH
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted
Sample Search:
| makeresults
| eval _raw="StudentName StudentId Grade ExamDate
Tom 1 60 2021-04-01
Jerry 2 70 2021-04-01
Tom 1 62 2021-04-07
Jerry 2 55 2021-04-07
"
| multikv forceheader=1
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junlozhang
Explorer
05-08-2021
12:06 AM
Hi, I got another question:
About string concat,
I want the separator to be white space "\t", and I called the function like
mvjoin(ExamDate, "\t")and I want a special Unicode character "\u0006" and I called the function like
StudentName."\u0006".StudentIdand I got the literal "\t" and "\u0006".
Tom\u00061:2021-04-01,60\t2021-04-07,62What should I do to get the real white space and Unicode character?
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
