Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk event combine: How to get data of one timestamp in a single event?

uagraw01
Motivator
‎08-08-2023 06:33 AM

Hello Splunkers!!

I have used DB connect to fetch the data from oracle database table and after ingesting the data  I see that the data of the same timestamp is breaking in different lines. But I want a data of one timestamp in a single event.

Eg: Here timestamp with 2023-08-08 14:35:34.849 breaked with 8 different lines.

uagraw01_0-1691501425949.png

 

Expected result :

2023-08-08 14:35:34.849, IDPARENT="3433794", NAME="OPERATORID", VALUE_NUMBER="1"
IDPARENT="3433794", NAME="INSTANCEID", VALUE_NUMBER="900000000"
IDPARENT="3433794", NAME="REASON"
IDPARENT="3433794", NAME="PLANNEDQUANTITYEACHES", VALUE_NUMBER="0"
,IDPARENT="3433794", NAME="PLANNEDQUANTITY", VALUE_NUMBER="0"
IDPARENT="3433794", NAME="TASKID", VALUE_NUMBER="10009113755"
IDPARENT="3433794", NAME="STOREORDERNR", VALUE_TEXT="1000000432"
IDPARENT="3433794", NAME="OPERATOR", VALUE_TEXT="1"

Please help me how to achieve this. Is there any pertained source type available for oracle database for dB connect.?

 

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-08-2023 10:34 AM

@uagraw01 - Splunk does not do that. What I can see is your database table has different rows for each of these. So I see this as expected behavior.

To achieve what you want (To combine them into a single line) you have two options:

* combine with SQL query -> Use GROUP BY

* combine with Splunk query -> | stats values(*) as * by _time

 

I hope this helps!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-08-2023 10:34 AM

@uagraw01 - Splunk does not do that. What I can see is your database table has different rows for each of these. So I see this as expected behavior.

To achieve what you want (To combine them into a single line) you have two options:

* combine with SQL query -> Use GROUP BY

* combine with Splunk query -> | stats values(*) as * by _time

 

I hope this helps!!!

Reply
Solved! Jump to solution

uagraw01
Motivator
‎08-08-2023 09:46 AM

Is there any lead from anyone on this issue ?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...