KingJohnno
Reputation: 602
Splunk: Duplicate Fields, different fields - merge
I have a number of individual records in Splunk all with a common field of X, which i'm trying to combine.
E.g
User-name=JG, srcIP=10.0.0.1
User-name=JG,file=jg.docx
User-name=JG, dstIP=10.1.1.0
User-name=JG,[email protected]
User-name=AB, srcIP=10.0.0.2
User-name=AB,file=AB.docx
User-name=AB, dstIP=10.2.2.0
User-name=AB,[email protected]
I want to do the following search: Group all the records which match by the User-name fields, and allow me to manipulate the fields.
E.g
USERNAE, srcIP, file, dstIP, Email
JG, 10.0.0.1, jg.docx, 10.1.1.0, [email protected]
AB, 10.0.0.2, AB.docx, 10.2.2.0, [email protected]
Thank you!
Upvotes: 0
Views: 755
Answers (1)
pjnike
Reputation: 181
You can check out the stats command to do this:
your search
| stats latest(srcIP) as srcIP, latest(file) as file, latest(dstIP) as dstIP, latest(email) as email by User-name
You can then perform any operations you want to on these fields. The latest function will give you the latest value seen for srcIP/file etc. for that user name.
Upvotes: 2
Related Questions
- How to simplify Splunk search with duplicated query statements
- Splunk: combine fields from multiple lines
- How to merge two stats by in Splunk?
- Duplicate field in Splunk Events
- Can you combine multivalue fields to form a consolidated Splunk alert?
- How to combine two queries in Splunk?
- How to remove duplicate results in splunk
- Splunk combining multiple logs
- Splunk - Merging Associated Events
- Splunk: Extracting multiple fields with the same name