How to group my data so that any values with the s...

dcheng123 · ‎03-08-2017

Hi , I'm very new here with Splunk searches

I'm trying to do a group by on my dataset so that any rows with the same time can be aggregated or merged into 1 row.
eg:)

timesec  |  col1 | col2 |col3
11111    |  A    | B    |  C
11111    |  A1   | B    |  C
22222    |  D1   | D2   | D3
22222    |  E1   | E2   | E3
33333    |  tt   | tt1  | tt2

and I'm trying to get something like

timesec  |   col1          |        col2     |         col3
11111    |   A , A1        |        B        |         C
22222    |   D1,E1         |        D2,E2    |         D3,E3
33333    |   tt            |        tt1      |         tt2

I am not sure if its possible to keep 1 value if its the same or append by comma if its different so I am okay if the result is something like

timesec   |  col1          |      col2     |   col3
11111     |  A , A1        |      B,B      |   C,C
22222     |  D1,E1         |      D2,E2    |   D3,E3
33333     |  tt            |      tt1      |   tt2

I been trying to use stats list then by timesec but it seems to only get the timesec and then the rest of the column values are null. I am not too sure what I am doing wrong. Any help would be great. Thanks!

somesoni2 · ‎03-08-2017

Try like this

your base search | stats values(col1) as col1 values(col2) as col2 values(col3) as col3 by timesec delim=","

How to group my data so that any values with the same time will be merged into 1 row?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?