Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to merge and display data from two events in a single line?

ravinallaparedd
New Member
‎12-01-2016 04:41 AM

Hello,

I would like to merge two events with a search to display both events' data in single line. Refer the below example ticket data:

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10002,Resolved,GroupB,12-02-2016

Output -> RowNumber_1,TicketNo_1, Ticket_Status_1 Owner_1,Date_1,RowNumber_2,TicketNo_2, Ticket_Status_2 Owner_2,Date_2
Single Event->1,INC10001,Assigned,GroupA,12-01-2016, 2,INC10002,Resolved,GroupB,12-02-2016

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

snoobzilla
Builder
‎12-01-2016 01:13 PM

It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016

This stats command

| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo

Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.

TicketNo    Current_Status    Ticket_Statuses   Owners  Dates
INC10001    Resolved          Assigned         GroupA   12-01-2016
                              Resolved         GroupB   12-02-2016

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

snoobzilla
Builder
‎12-01-2016 01:13 PM

It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.

Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016

This stats command

| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo

Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.

TicketNo    Current_Status    Ticket_Statuses   Owners  Dates
INC10001    Resolved          Assigned         GroupA   12-01-2016
                              Resolved         GroupB   12-02-2016
0 Karma
Reply
Solved! Jump to solution

ravinallaparedd
New Member
‎12-02-2016 03:34 AM

Thank you.

I got the solution, it can be done through either stats or streams tats.

Regards,
Ravi

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...