Splunk Search

Group result by fields combination and generate a table

thunder_wu
Path Finder

I have a search that will return 4 fields from a report database, say f1, f2, f3, f4. I want to group result by combination of f3 and f4, then create a table with following columns

• f1 from earliest event for each group
• f2 from last event for each group
• f3
• f4

How should I complete the query?

Tags (3)
0 Karma
1 Solution

jluo_splunk
Splunk Employee
Splunk Employee

Try..

.. | transaction user_id, claim_number | table user_id, claim_number, id, message

Does this give you a table with what you want (aside from listing just the first and last event id's)?

View solution in original post

jluo_splunk
Splunk Employee
Splunk Employee

Try..

.. | transaction user_id, claim_number | table user_id, claim_number, id, message

Does this give you a table with what you want (aside from listing just the first and last event id's)?

thunder_wu
Path Finder

What I figured out is

| stats

earliest(id) as earliest_id
latest(id) as latest_id
latest(message) as latest_message
by user_id, claim_number

s2_splunk
Splunk Employee
Splunk Employee

Can you provide a couple of sample records and your expected outcome? What do you mean by "group by combination of f3 and f4"?

0 Karma

thunder_wu
Path Finder

assuming following happen in order of time

id message user_id claim_number

1 "finished step 1" 100 1000000001
2 "finished step 2" 100 1000000001

3 "finished step 1" 101 1000000001
4 "finished step 2" 101 1000000001
5 "finished step 3" 101 1000000001

6 "finished step 1" 100 1000000002
7 "finished step 2" 100 1000000002
8 "finished step 3" 100 1000000002

for each group of unique (user_id, claim_number), I need a table of following columns

  • earliest event's id
  • last event's id
  • last event's message
  • user_id
  • claim_number

Thanks!

0 Karma

thunder_wu
Path Finder

In above example, there are three groups
(100, 1000000001) - id = 1,2
(101, 1000000001) - id = 3,4,5
(100, 1000000002) - id = 6,7,8

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...