The Merge operator reduces a stream of events to a single event using a specified merge strategy. It is particularly useful as a subquery for the Transactionize operator. Each field can have a different merge strategy:
- takeFirst - summarize the field using the earliest value
- takeLast - summarize the field using the latest value
- join with separator - reduce the field by combining all values into a single string with the specified separator between each value
Merge _raw values and separate them with newlines. Adds a Time field containing the earliest timestamp.
Merge values of the named field using the takeFirst strategy by default
merge [field] [strategy] as [new_name]
Merge values of field "foo" using the specified strategy and name the result new_name
merge [field] as [name], [field] [strategy], [field] join with [separator] as [name2] ...
Merge comma-delimited list of fields with separate merge strategies. Where no strategy is specified, takeFirst is implied
- The special field _messageTime can only use strategies takeFirst and takeLast
The following query:
* | parse "BytesSentPersec = \"*\"" as BytesPersec
| merge BytesPersec join with "--", _messageTime takeLast
produces a result something like this:
To use the merge operator with the Transactionize operator, one good use case is when all log messages have a common field, for example, transaction_id or request_id. Using the merge operator with transactionize merges all the messages with the common fields, such as the following query:
| parse regex "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]) - "
| transactionize ip (merge ip takeFirst, _raw join with "\n\n\n")
Which would provides results like the following. (Notice that all the logs from the same IP are now grouped in one record.)