Splunk Search

Merge Lines Query based on ID

mnorindr
Engager

Hello,

I would like to merge 2 lines which an ID is the unique Key.
Ex

Username      Date         ID        
   Max                    1702
             08/08/14     1702

and get just one line base on the unique ID

Username      Date         ID
   Max       08/08/14     1702

Is it possible to do that?
I though that the command merge can help but do not success

Thanks for your help

Tags (2)
1 Solution

somesoni2
Revered Legend

Try something like this

your base search | table Username Date ID | stats first(*) as * by ID

View solution in original post

rakeshh123
Path Finder

Hi mnorindr,
It can be solved by using Transaction......according to data u got 2lines having redundant data ....for example sessionid may remain same for a particular transaction
alt text

this can be solved by using Transaction query
alt text

rhys04
New Member

I'm on Splunk 6.3 and there's a dedup command you can use in the search for this purpose.
your base search | dedup ID order by username desc

Is there a way apply this logic upon ingestion as opposed to search?

0 Karma

somesoni2
Revered Legend

Try something like this

your base search | table Username Date ID | stats first(*) as * by ID

mnorindr
Engager

Just try but doesn't work (No results found). I see in the forum that maybe "transaction" command can help, i'll try

0 Karma

marhuc
Explorer

I have similar problem, I tried this approach and it works fine

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...