Splunk Search

How to merge the content of a group

junlozhang
Explorer

Let's say the data looks like:

StudentNameStudentIdGradeExamDate
Tom1602021-04-01
Jerry2702021-04-01
Tom1622021-04-07
Jerry2552021-04-07

And the the result I want looks like:

Formatted
Tom,1:2021-04-01,60;2021-04-07,62
Jerry,2;2021-04-01,70;2021-04-07,55

I want to divide the origin data into groups by key "StudentId", and then merge the contents in each group to make a formatted string

Of course, I can get all the data and write a program in Python or Java to process it.... But it would be better if I can do this only with SPL

I have written a script to group by "StudentId":

 

 

transaction StudentId
| stats list(_raw) as rawList by StudentId

 

 

But don't know what to do next

Labels (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@junlozhang 

 

Can you please try this? Just modify search as per your requirement. 

 

YOUR_SEARCH
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId 
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName  by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted

 

 

Sample Search:

 

| makeresults 
| eval _raw="StudentName	StudentId	Grade	ExamDate
Tom	1	60	2021-04-01
Jerry	2	70	2021-04-01
Tom	1	62	2021-04-07
Jerry	2	55	2021-04-07
" 
| multikv forceheader=1 
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId 
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName  by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted

  

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@junlozhang 

 

Can you please try this? Just modify search as per your requirement. 

 

YOUR_SEARCH
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId 
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName  by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted

 

 

Sample Search:

 

| makeresults 
| eval _raw="StudentName	StudentId	Grade	ExamDate
Tom	1	60	2021-04-01
Jerry	2	70	2021-04-01
Tom	1	62	2021-04-07
Jerry	2	55	2021-04-07
" 
| multikv forceheader=1 
| stats values(StudentName) as StudentName list(Grade) as Grade list(ExamDate) as ExamDate by StudentId 
| eval ExamDate = mvzip(ExamDate,Grade) | mvexpand ExamDate
| stats values(ExamDate) as ExamDate values(StudentName) as StudentName  by StudentId | eval Formatted=StudentName.",".StudentId.":".mvjoin(ExamDate,";") | fields Formatted

  

junlozhang
Explorer

Hi, I got another question:

About string concat

I want the separator to be white space "\t", and I called the function like

mvjoin(ExamDate, "\t")

and I want a special Unicode character "\u0006" and I called the function like

StudentName."\u0006".StudentId

and I got the literal "\t" and "\u0006". 

Tom\u00061:2021-04-01,60\t2021-04-07,62

What should I do to get the real white space and Unicode character?

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...