- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- _time field is lost after merging events with comm...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to merge multiple events that contains the same ID into an unique event. For example:
{id: 123
setDate: 2018-08-18
status: completed
},
{id: 123
setDate: 2018-08-17
status: started
}
To solve it I am using the transaction function. Therefore it seems _time is overridden by transaction.
How could I merge the events without override _time or how could I extract override after merging?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would avoid transaction completely. You can do much the same thing like this and it scales better:
Your Base Search Here
| stats list(_raw) AS _raw range(_time) AS duration min(_time) AS _time max(_time) AS end_time values(foo) AS foo other stuff here BY id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would avoid transaction completely. You can do much the same thing like this and it scales better:
Your Base Search Here
| stats list(_raw) AS _raw range(_time) AS duration min(_time) AS _time max(_time) AS end_time values(foo) AS foo other stuff here BY id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you use the transaction command, the merged raw data will have timestamp/_time value of event that occurred the earliest (min of _time). If you want to have reference to _time of other event(s) as well, create a new field (e.g. | eval Timestmap=_time OR | eval Timestmap=strftime(_time,"%F %T") based on you want to retain epoch or string formatted date) before transaction.
Also, if all you do is merge based on id field, then use a stats command instead of using transaction to merge those events together. Just include appropriate fields in stats's aggregation list.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @somesoni2, thanks for replying. Perhaps my question is not complete. I would like to keep _time so I can use in timechart (which uses _time as x-axis by default).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - Did you try what @somesoni2 suggested?
Basically, what he is trying ti say is - if you need the _time field , you need to assign to an eval function BEFORE the pipe where your _time gets lost, then you need to set _time = the field that you stored the _time value, something like this :eval k=strptime(strftime(_time,"%Y-%m-%d%H:%M:S"),"%Y-%m-%d%H:%M:%S")|....|.....|....|eval _time=k| timechart xxxxx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Sukisen1981. Sorry for the delay. Yes, I tried and it worked! Thanks
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
