Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk event combine: How to get data of one timestamp in a single event?

uagraw01
Builder
‎08-08-2023 06:33 AM

Hello Splunkers!!

I have used DB connect to fetch the data from oracle database table and after ingesting the data  I see that the data of the same timestamp is breaking in different lines. But I want a data of one timestamp in a single event.

Eg: Here timestamp with 2023-08-08 14:35:34.849 breaked with 8 different lines.

uagraw01_0-1691501425949.png

 

Expected result :

2023-08-08 14:35:34.849, IDPARENT="3433794", NAME="OPERATORID", VALUE_NUMBER="1"
IDPARENT="3433794", NAME="INSTANCEID", VALUE_NUMBER="900000000"
IDPARENT="3433794", NAME="REASON"
IDPARENT="3433794", NAME="PLANNEDQUANTITYEACHES", VALUE_NUMBER="0"
,IDPARENT="3433794", NAME="PLANNEDQUANTITY", VALUE_NUMBER="0"
IDPARENT="3433794", NAME="TASKID", VALUE_NUMBER="10009113755"
IDPARENT="3433794", NAME="STOREORDERNR", VALUE_TEXT="1000000432"
IDPARENT="3433794", NAME="OPERATOR", VALUE_TEXT="1"

Please help me how to achieve this. Is there any pertained source type available for oracle database for dB connect.?

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-08-2023 10:34 AM

@uagraw01 - Splunk does not do that. What I can see is your database table has different rows for each of these. So I see this as expected behavior.

To achieve what you want (To combine them into a single line) you have two options:

* combine with SQL query -> Use GROUP BY

* combine with Splunk query -> | stats values(*) as * by _time

 

I hope this helps!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-08-2023 10:34 AM

@uagraw01 - Splunk does not do that. What I can see is your database table has different rows for each of these. So I see this as expected behavior.

To achieve what you want (To combine them into a single line) you have two options:

* combine with SQL query -> Use GROUP BY

* combine with Splunk query -> | stats values(*) as * by _time

 

I hope this helps!!!

Reply
Solved! Jump to solution

uagraw01
Builder
‎08-08-2023 09:46 AM

Is there any lead from anyone on this issue ?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...