Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk search result Formatting

masmi99
Explorer
‎09-30-2021 04:58 AM

my search query checks for the last 15m for each 5min interval Sample query:

index=XXXX sourcetype=XXX* env=XXX OR env=XXX "Continuation timed out"
| bucket _time span=5m 
| timechart span=5m count AS Devices 
| eval inc_severity=case('Device'>=450, "3") 
| eval support_group=case('Device'>=450, "XXXXX") 
| eval dedup_tag=case('Device'>=450, "XXXXXX") 
| eval corr_tag=case('Devices'>=450, "XXXXXX") 
| eval event_status=case('Device'>=450, "1") 
| eval service_condition=case('Device'>=450, "1") 
| table sev event dedup corr support_group service_condition _time Devices
| sort 3 - Devices
| sort _time
| where isnotnull('inc_severity')
| where 'Devices'>450

based on above query my output is as follows

sev  event  dedup   corr    support_group   service_condition   _time    Device
3     1     xxx     xxx          xxx              1               x       700
3     1     xxx     xxx          xxx              1               y       900
3     1    xxx     xxx          xxx              1               z       1000

but what i am trying to get the output as follows

sev event   dedup   corr    support_group   service_condition. _time    Device
3      1         xxx   xxx      xxx               1             x,y,z  700,900,1000

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2021 05:25 AM

Try adding this to the end of the query.

| stats values(_time) as _time, values(Devices) as Devices by sev event dedup corr support_group service_condition
| table sev event dedup corr support_group service_condition _time Devices
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2021 05:25 AM

Try adding this to the end of the query.

| stats values(_time) as _time, values(Devices) as Devices by sev event dedup corr support_group service_condition
| table sev event dedup corr support_group service_condition _time Devices
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

masmi99
Explorer
‎09-30-2021 06:09 AM

Thank you it worked

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2021 05:16 AM

Hi

You can try something like this:

| makeresults 
| eval _raw = "sev  event  dedup   corr    support_group   service_condition    time    Device
3     1     xxx     xxx          xxx              1               x              700
3     1     xxx     xxx          xxx              1               y              900
3     1     xxx     xxx          xxx              1               z              1000"
| multikv forceheader=1
| fields - _time _raw
``` above generate sample data ```
| stats values(*) as * by sev event dedup corr support_group service_condition
| eval Device = mvjoin(Device, ","), time = mvjoin(time, ",")

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...