Solved: Merge events base on common field

darksky21 · ‎10-27-2013

Hi, is there any way i could merge events base on common field?

For example there are 6 events :

Jun 1 2012 A:1

Jun 1 2012 B:2

Jun 1 2012 C:3

Jun 22 2012 A:33

Jun 22 2012 B:32

Jun 22 2012 C:31

How to i merge events with same date together:

June 1 2012 A:1 B:2 C:3

Jun 22 2012 A:33 B:32 C:31

Any help is appreciated

BobM · ‎10-27-2013

Assuming you have the fields being extracted as A, B, & C you can use stats.

mysearch | stats first(A) as A, first(B) as B, first(C) as C by _time

If you need the whole event merged you can use the less efficient command transactions.

mysearch | transaction _time

and in either if the times are not identical you can use the bucket command

mysearch | bucket _time span=1d | …

Bob

BobM · ‎10-27-2013

Assuming you have the fields being extracted as A, B, & C you can use stats.

mysearch | stats first(A) as A, first(B) as B, first(C) as C by _time

If you need the whole event merged you can use the less efficient command transactions.

mysearch | transaction _time

and in either if the times are not identical you can use the bucket command

mysearch | bucket _time span=1d | …

Bob

darksky21 · ‎10-28-2013

thx for the help

Shashank_87 · ‎05-04-2018

Use something like this because for a large chunk of data transaction command is very expensive

rex out the field which you want in the stats
search | rex field =_raw "expression" | stats list(field1) as field1 by _time

Merge events base on common field