Splunk Search

Group records by two fields

varun99
Path Finder

Hi,

I have the data like below:

TransactionID1 TransactionID2
aaaaaaaaaaaa aaaaaaaaaaaa
aaaaaaaaaaaa bbbbbbbbbbb
bbbbbbbbbbb
ccccccccccccc ccccccccccccc
ccccccccccccc ccccccccccccc
ccccccccccccc

I need to group some records based on the above two fields in a way that the first three records come together and last three come together based on the fact that any of the TransactionID1 or TransactionID2 are same. It is a bit easy to group the last three. However, I am finding it difficult to group the 1st three. Kindly help.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

We need to see a little bit more of the actual search or the actual data to understand what you are having problems with.

0 Karma

hortonew
Builder

Also, what would your desired output look like? I imagine you're trying to group events together if either trans1 or trans2 match the previous one, but break into a new group should neither match.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...