Solved: How to merge two events with same field into one

sudeep5689 · ‎05-07-2020

I have two rows having follwing values:
Name Text Count
A ABC 1
A EFG 1

I want that my result should be displayed in single row showing count as 2 and both the text for a common name = A. Is there a way we can acheive this

gcusello · ‎05-08-2020

Hi @sudeep5689,
try something like this:

your_search
| stats values(Text) AS Text sum(Count) AS Count BY Name

Ciao.
Giuseppe

View solution in original post

gcusello · ‎05-08-2020

Hi @sudeep5689,
try something like this:

your_search
| stats values(Text) AS Text sum(Count) AS Count BY Name

Ciao.
Giuseppe

sudeep5689 · ‎05-08-2020

Hi Thanks for your response, but when i tried this, its not displaying the count .I mean count should be displayed in the count column. but its not displaying it

jrceja313 · ‎05-08-2020

If Count is actually a field, the above should work. If not, try this.

your_search
| stats values(Text) as Text, count as Count by Name
| table Name, Text, Count
| eval Text=mvjoin(Text,",")

the eval Text mvjoin can be added if you want it to be a comma separated list

How to merge two events with same field into one

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?