Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to merge and display data from two events in a single line?

ravinallaparedd
New Member
‎12-01-2016 04:41 AM

Hello,

I would like to merge two events with a search to display both events' data in single line. Refer the below example ticket data:

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10002,Resolved,GroupB,12-02-2016

Output -> RowNumber_1,TicketNo_1, Ticket_Status_1 Owner_1,Date_1,RowNumber_2,TicketNo_2, Ticket_Status_2 Owner_2,Date_2
Single Event->1,INC10001,Assigned,GroupA,12-01-2016, 2,INC10002,Resolved,GroupB,12-02-2016

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

snoobzilla
Builder
‎12-01-2016 01:13 PM

It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016

This stats command

| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo

Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.

TicketNo    Current_Status    Ticket_Statuses   Owners  Dates
INC10001    Resolved          Assigned         GroupA   12-01-2016
                              Resolved         GroupB   12-02-2016

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

snoobzilla
Builder
‎12-01-2016 01:13 PM

It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016

This stats command

| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo

Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.

TicketNo    Current_Status    Ticket_Statuses   Owners  Dates
INC10001    Resolved          Assigned         GroupA   12-01-2016
                              Resolved         GroupB   12-02-2016
0 Karma
Reply
Solved! Jump to solution

ravinallaparedd
New Member
‎12-02-2016 03:34 AM

Thank you.

I got the solution, it can be done through either stats or streams tats.

Regards,
Ravi

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...