Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Merge Lines Query based on ID

mnorindr
Engager
‎08-08-2014 05:52 AM

Hello,

I would like to merge 2 lines which an ID is the unique Key.
Ex

Username      Date         ID        
   Max                    1702
             08/08/14     1702

and get just one line base on the unique ID

Username      Date         ID
   Max       08/08/14     1702

Is it possible to do that?
I though that the command merge can help but do not success

Thanks for your help

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-08-2014 06:00 AM

Try something like this

your base search | table Username Date ID | stats first(*) as * by ID

View solution in original post

Reply
Solved! Jump to solution

rakeshh123
Path Finder
‎02-01-2016 03:50 AM

Hi mnorindr,
It can be solved by using Transaction......according to data u got 2lines having redundant data ....for example sessionid may remain same for a particular transaction
alt text

this can be solved by using Transaction query
alt text

Preview file
142 KB
Preview file
144 KB
Reply
Solved! Jump to solution

rhys04
New Member
‎01-29-2016 05:06 PM

I'm on Splunk 6.3 and there's a dedup command you can use in the search for this purpose.
your base search | dedup ID order by username desc

Is there a way apply this logic upon ingestion as opposed to search?

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-08-2014 06:00 AM

Try something like this

your base search | table Username Date ID | stats first(*) as * by ID
Reply
Solved! Jump to solution

mnorindr
Engager
‎08-11-2014 04:41 AM

Just try but doesn't work (No results found). I see in the forum that maybe "transaction" command can help, i'll try

0 Karma
Reply
Solved! Jump to solution

marhuc
Explorer
‎02-01-2018 04:24 AM

I have similar problem, I tried this approach and it works fine

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...