Hello All,
I have a number of individual records in Splunk, all with a common field of X, that i'm trying to combine.
E.g
User-name=JG, srcIP=10.0.0.1
User-name=JG,file=jg.docx
User-name=JG, dstIP=10.1.1.0
User-name=JG,Email=jg@jg.com
User-name=AB, srcIP=10.0.0.2
User-name=AB,file=AB.docx
User-name=AB, dstIP=10.2.2.0
User-name=AB,Email=AB@AB.com
I want to do the following search: Group all the records which match by the User-name fields, and allow me to manipulate the fields.
E.g
USERNAE, srcIP, file, dstIP, Email
JG, 10.0.0.1, jg.docx, 10.1.1.0, jg@jg.com
AB, 10.0.0.2, AB.docx, 10.2.2.0, AB@AB.com
initial thoughts, are that I do a Dedupe based on the Username, and then nest a search to pull data back; not sure!
Virtual beer on offer here 😄
@JohnGilmour,
Try
"your base search"|stats values(srcIP) as srcIP,values(file) as file,values(dstIP) as dstIP,values(Email) as Email by User-name
Based on your data, i created a dummy search which might be useful to you:
| makeresults
| eval Text="User-name=JG,srcIP=10.0.0.1:User-name=JG,file=jg.docx:User-name=JG,dstIP=10.1.1.0:User-name=JG,Email=jg@jg.com:User-name=AB,srcIP=10.0.0.2:User-name=AB,file=AB.docx:User-name=AB,dstIP=10.2.2.0:User-name=AB,Email=AB@AB.com"
| makemv Text delim=":"
| mvexpand Text
| makemv Text delim=" "
| eval Username=mvindex(split(Text,","),0)
| eval field2=mvindex(split(Text,","),1)
| table _time Username field2
| makemv Username delim="="
| eval Username=mvindex(Username,1)
| makemv field2 delim="="
| eval fieldname=mvindex(field2,0)
| eval fieldvalue=mvindex(field2,1)
| table _time Username fieldname fieldvalue
| chart values(fieldvalue) over Username by fieldname
@JohnGilmour,
Try
"your base search"|stats values(srcIP) as srcIP,values(file) as file,values(dstIP) as dstIP,values(Email) as Email by User-name