topic Re: concat two fields into one in Getting Data In

concat two fields into one

mmattek — Wed, 14 Sep 2011 18:39:06 GMT

ok, we have a field defined (user), and for another sourcetype I have the extracts already occurring for appUser and and appDomain.. so for this sourcetype I want user to be overriden as appUser@appDomain.

my guess would be index time? But I don't really care as long as it works.

Re: concat two fields into one

bobbole7 — Wed, 14 Sep 2011 18:49:50 GMT

Why not just use rename as?

Re: concat two fields into one

Ayn — Wed, 14 Sep 2011 19:09:43 GMT

How do you know which user corresponds to which appUser@appDomain?

Re: concat two fields into one

mmattek — Wed, 14 Sep 2011 19:36:44 GMT

can I do that in props or something? I know I can do it in an individual search, but I need it done for everyone.

Re: concat two fields into one

mmattek — Wed, 14 Sep 2011 19:44:57 GMT

I may not be making this clear.. there is already an extract for appUser and appDomain. We have a generic (more than this app) field called "user" and I want to concat these two fields with an "@" sign in the middle. I don't want the user to have to do this in every search (I don't really care if it is done at index time or not)

Re: concat two fields into one

Ayn — Wed, 14 Sep 2011 19:54:29 GMT

So when the user issues the search, the returned fields include "user", "appUser" and "appDomain"?

Re: concat two fields into one

Ayn — Wed, 14 Sep 2011 20:20:24 GMT

Quick and easy solution would be to use eval or strcat to concatenate the field values together. Like

<yourbasesearch> | eval user=appUser."@".appDomain

If you (or your users) don't want to have to specify that in every search though, you kind of can concatenate your appUser and appDomain values to the user field in props.conf and transforms.conf. The idea would be to take the regex for one of them then glue it together with the regex for the other using some generic matching regex between them, match both fields then combine them. NOTE: this can be done ONLY for index-time extractions. Concatenating fields together in this way does not work with search-time extractions. At search-time you'd have to use the eval solution.

In props.conf:

[yoursourcetype]
TRANSFORMS-user = extractuser

In transforms.conf:

[extractuser]
REGEX = (the appUser regex).+?(the appDomain regex)
FORMAT = user::$1@$2

Re: concat two fields into one

mmattek — Wed, 14 Sep 2011 20:59:24 GMT

thanks.. that is sort of working, but it isn't substituing correctly (just leaving $1@$2 for the field value). I suspect its because I'm trying to use SOURCE_KEY={another extracted field from a previous transform} I guess I have to regex from the overall raw log message?

Re: concat two fields into one

mmattek — Wed, 14 Sep 2011 21:20:42 GMT

looking at:
http://www.splunk.com/support/forum:SplunkGeneral/2684

it looks like maybe this isn't doable with extracted fields?

Re: concat two fields into one

Ayn — Wed, 14 Sep 2011 21:33:06 GMT

My bad - this cannot be done with search-time extractions, just at index-time, as described in transforms.conf.spec. You need TRANSFORMS instead of REPORT. Updating my answer to reflect that.

Re: concat two fields into one

Ayn — Wed, 14 Sep 2011 21:36:34 GMT

Correct. Concatenating different values for one single field when doing extractions is possible with index-time extractions only.