Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Merge rows in one

alex_orl
Engager
‎10-01-2019 04:44 AM

I have data of the kind

Name       Parameter1            Parameter2           Parameter3
A          1
A                                2                    3
B                                                      3
B                                2

I want to get the result as shown below

Name       Parameter1            Parameter2           Parameter3
A          1                     2                    3
B                                2                    3

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-01-2019 04:59 AM

@alex_orl,

Try

your search | stats values(*) as * by Name
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-01-2019 04:59 AM

@alex_orl,

Try

your search | stats values(*) as * by Name
Happy Splunking!
Reply
Solved! Jump to solution

jpolvino
Builder
‎10-01-2019 04:58 AM

Looking at the top code, will there ever be the case where row 2 and row 3 will both have Parameter1?

You can try something like:
(your search)
| stats list(Parameter1) AS Parameter1 list(Parameter2) AS Parameter2 list(Parameter3) AS Parameter3 BY Name

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-01-2019 04:58 AM

@alex_orl

Try this

YOUR_SEARCH | stats values(Parameter1) as Parameter1 values(Parameter2) as Parameter2 values(Parameter3) as Parameter3 by Name

Example:

| makeresults | eval _raw="     Name       Parameter1            Parameter2           Parameter3
     A          1
     A                                2                    3
     B                                                      3
     B                                2                    
"| multikv | stats values(Parameter1) as Parameter1 values(Parameter2) as Parameter2 values(Parameter3) as Parameter3 by Name

Thanks

Reply
Solved! Jump to solution

timyong80
Explorer
‎05-01-2021 08:15 PM

Thanks! I was looking for this too and it helps. I find that I only need to use the line below without needing | makeresults. Could you explain more about | makeresults?

| multikv | stats values(Parameter1) as Parameter1 values(Parameter2) as Parameter2 values(Parameter3) as Parameter3 by Name

  Thank you.

0 Karma
Reply
Solved! Jump to solution

bradparks
Explorer
‎04-07-2020 09:24 AM

This totally worked for me thanks a ton! For anyone new to this, the fields will look like they've each been merged into a single value in each Parameter, but are still separate values in a way - they're Multivalues now - so to merge 2 multivalues into one, use mkjoin or mkindex(field,0)+mkindex(field,1)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...