Re: How to combine rows based on parent-child rela...

yolk · ‎12-08-2023

Hi,

I have data like these entries

link id parent name
---- --- -------- ---------

link1 311 email.eml

link1 312 311 abc.rar

link2 315 312 xyz.exe

that I want to combine into this

link id parent name
---- --- -------- ---------

link1, link2 315, 312, 311 312, 311 xyz.exe, abc.rar, email.eml

Combining condition is based on id and parent.

311 is the parent, 312 is child of 311, 315 is child of 312 ('grandchild' of 311)

Thank you in advance for your help!

oda · ‎12-21-2023

I would like to create an answer, but could you please tell me the final form you would like to create?

yolk · ‎12-26-2023

Hi,

Thanks for helping! This is the final output I would like to create as stated in original post.

link id parent name
---- --- -------- ---------
link1, link2 315, 312, 311 312, 311 xyz.exe, abc.rar, email.eml

oda · ‎12-26-2023

Oops
I understand your explanation.

That's difficult to achieve with Splunk.
Please refer to the URL below for details.

https://community.splunk.com/t5/Splunk-Search/recursively-join-the-same-table/m-p/140079

If you have other conditions, you may be able to do it.
Example
- This log is an experiment log and can be identified for each experiment.
- Logs that are always parent and child will be displayed below.

How to combine rows based on parent-child relationship on separate fields

stats

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?