Splunk Search

How to write a search to merge and display data from two events in a single line?

ravinallaparedd
New Member

Hello,

I would like to merge two events with a search to display both events' data in single line. Refer the below example ticket data:

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10002,Resolved,GroupB,12-02-2016

Output -> RowNumber_1,TicketNo_1, Ticket_Status_1 Owner_1,Date_1,RowNumber_2,TicketNo_2, Ticket_Status_2 Owner_2,Date_2
Single Event->1,INC10001,Assigned,GroupA,12-01-2016, 2,INC10002,Resolved,GroupB,12-02-2016

0 Karma
1 Solution

snoobzilla
Builder

It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016

This stats command

| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo

Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.

TicketNo    Current_Status    Ticket_Statuses   Owners  Dates
INC10001    Resolved          Assigned         GroupA   12-01-2016
                              Resolved         GroupB   12-02-2016

View solution in original post

0 Karma

snoobzilla
Builder

It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016

This stats command

| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo

Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.

TicketNo    Current_Status    Ticket_Statuses   Owners  Dates
INC10001    Resolved          Assigned         GroupA   12-01-2016
                              Resolved         GroupB   12-02-2016
0 Karma

ravinallaparedd
New Member

Thank you.

I got the solution, it can be done through either stats or streams tats.

Regards,
Ravi

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...