Solved: Merge Lines Query based on ID

mnorindr · ‎08-08-2014

Hello,

I would like to merge 2 lines which an ID is the unique Key.
Ex

Username      Date         ID        
   Max                    1702
             08/08/14     1702

and get just one line base on the unique ID

Username      Date         ID
   Max       08/08/14     1702

Is it possible to do that?
I though that the command merge can help but do not success

Thanks for your help

somesoni2 · ‎08-08-2014

Try something like this

your base search | table Username Date ID | stats first(*) as * by ID

View solution in original post

rakeshh123 · ‎02-01-2016

Hi mnorindr,
It can be solved by using Transaction......according to data u got 2lines having redundant data ....for example sessionid may remain same for a particular transaction

this can be solved by using Transaction query

rhys04 · ‎01-29-2016

I'm on Splunk 6.3 and there's a dedup command you can use in the search for this purpose.
your base search | dedup ID order by username desc

Is there a way apply this logic upon ingestion as opposed to search?

somesoni2 · ‎08-08-2014

Try something like this

your base search | table Username Date ID | stats first(*) as * by ID

mnorindr · ‎08-11-2014

Just try but doesn't work (No results found). I see in the forum that maybe "transaction" command can help, i'll try

marhuc · ‎02-01-2018

I have similar problem, I tried this approach and it works fine

Merge Lines Query based on ID

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life