Splunk Search
Highlighted

How to write a search to merge and display data from two events in a single line?

New Member

Hello,

I would like to merge two events with a search to display both events' data in single line. Refer the below example ticket data:

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10002,Resolved,GroupB,12-02-2016

Output -> RowNumber1,TicketNo1, TicketStatus1 Owner1,Date1,RowNumber2,TicketNo2, TicketStatus2 Owner2,Date2
Single Event->1,INC10001,Assigned,GroupA,12-01-2016, 2,INC10002,Resolved,GroupB,12-02-2016

0 Karma
Highlighted

Re: How to write a search to merge and display data from two events in a single line?

Builder

It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016

This stats command

| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo

Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.

TicketNo    Current_Status    Ticket_Statuses   Owners  Dates
INC10001    Resolved          Assigned         GroupA   12-01-2016
                              Resolved         GroupB   12-02-2016

View solution in original post

0 Karma
Highlighted

Re: How to write a search to merge and display data from two events in a single line?

New Member

Thank you.

I got the solution, it can be done through either stats or streams tats.

Regards,
Ravi

0 Karma