Hey there,
This had be puzzled for a bit! And I do hope I haven't over-engineered it.
I think the best way for you to achieve this is to potentially use a lookup. This will work on small to moderate datasets, if your dataset larger, you may want to consider the KV Store.
First, I reproduced your dataset like this:
| makeresults count=5
| streamstats count
| eval Parent=CASE(count=1,"A",count=2,"A",count=3,"B",count=4,"C",count=5,"C",1==1,0)
| eval Child=CASE(count=1,"B",count=2,"C",count=3,"D",count=4,"E",count=5,"F",1==1,0)
| fields - _time
| fields Parent Child
Then i output the results to a CSV | outputlookup family.csv
I then used that output to link the family members together.
| makeresults count=5
| streamstats count
| eval Parent=CASE(count=1,"A",count=2,"A",count=3,"B",count=4,"C",count=5,"C",1==1,0)
| eval Child=CASE(count=1,"B",count=2,"C",count=3,"D",count=4,"E",count=5,"F",1==1,0)
| fields - _time
| fields Parent Child
| lookup family.csv Parent AS Child OUTPUT Child AS Grandchild
Finally, you'll see, because C is both the parent of E and F . Splunk will give you a multivalued field for Grandchild .
You can then use this | mvexpand Grandchild which should give you the result you're looking for.
I hope this works for you and demonstrates how a lookup can be used to match data like this. Remember, you can always schedule the outputlookup to keep the family.csv up to date.
Thanks
... View more