Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Split results that are in same row

Becherer
Explorer
‎02-05-2021 03:54 PM

Currently I am running into an issue where if there is a person logs onto a server multiple times, it combines. Any ideas on how to split?

Here is sample data.

Currently I am using
| stats values(*) as * by Host Account_Name

From This:

HostAccount_NameDurationSession_EndSession_Start
fdk-DC01jfrank 1612536779
1612558813		1612536778
1612558812
fdk-DC01ptom00:00:0216125636971612563695
fdk-Host01jfrank00:00:0516125393221612539317
fdk-Host03bhill 1612540329
1612543822		1612540323
1612543816

 

To This:

HostAccount_NameDurationSession_EndSession_Start
fdk-DC01jfrank 00:00:0316125367791612536778
fdk-DC01jfrank00:00:0716125588131612558812
fdk-DC01ptom00:00:0216125636971612563695
fdk-Host01jfrank00:00:0516125393221612539317
fdk-Host03bhill 00:00:0916125403291612540323
fdk-Host03bhill00:00:01016125438221612543816

 

 

Thank you for any pointers!

Labels (4)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-07-2021 02:29 PM

In addition to @saravanan90 comment, just be aware that when using stats values() the resultant values in the multi-value field will be sorted and duplicates removed, so hence if combining two columns using mvzip you need to know your data will be sensibly sorted to combined item 1+1 and 2+2 from each of the 2 fields.

In your time based case, this is likely, but if doing this with data that might sort alphabetically, this would not always yield the correct pairs.

 

0 Karma
Reply

saravanan90
Contributor
‎02-05-2021 09:06 PM

This may help..

base query | fields - Duration | eval temp = mvzip(Session_Start, Session_End, ",") | mvexpand temp | makemv delim="," temp | eval Session_Start = mvindex(temp, 0),Session_End = mvindex(temp, 1) | fields - temp | eval Duration=tostring(Session_End-Session_Start,"duration")

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...