Splunk Search

Merge events base on common field

darksky21
Path Finder

Hi, is there any way i could merge events base on common field?

For example there are 6 events :

Jun 1 2012 A:1

Jun 1 2012 B:2

Jun 1 2012 C:3

Jun 22 2012 A:33

Jun 22 2012 B:32

Jun 22 2012 C:31

How to i merge events with same date together:

June 1 2012 A:1 B:2 C:3

Jun 22 2012 A:33 B:32 C:31

Any help is appreciated

Tags (4)
1 Solution

BobM
Builder

Assuming you have the fields being extracted as A, B, & C you can use stats.

mysearch | stats first(A) as A, first(B) as B, first(C) as C by _time

If you need the whole event merged you can use the less efficient command transactions.

mysearch | transaction _time

and in either if the times are not identical you can use the bucket command

mysearch | bucket _time span=1d | …

Bob

View solution in original post

BobM
Builder

Assuming you have the fields being extracted as A, B, & C you can use stats.

mysearch | stats first(A) as A, first(B) as B, first(C) as C by _time

If you need the whole event merged you can use the less efficient command transactions.

mysearch | transaction _time

and in either if the times are not identical you can use the bucket command

mysearch | bucket _time span=1d | …

Bob

darksky21
Path Finder

thx for the help

0 Karma

Shashank_87
Explorer

Use something like this because for a large chunk of data transaction command is very expensive

rex out the field which you want in the stats
search | rex field =_raw "expression" | stats list(field1) as field1 by _time

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...