topic Consolidate fields at search time in Splunk Search

Consolidate fields at search time

Josh — Wed, 28 Apr 2010 23:58:02 GMT

How can I consolidate 2 or more fields into one new field at search time?

e.g. ...| fields a,b,c | d

In the above I would like d to hold all values in fields a,b,c so what I am doing is creating a new field called d out of the fields a,b and c. Is this possible?

Re: Consolidate fields at search time

Lowell — Thu, 29 Apr 2010 00:14:38 GMT

If you want them all concatenated, then you can do:

eval d=a.b.c

If you want a multi-value field, you could do something like this (assuming that you don't have ; in your values to begin with):

eval d=split(a . ";" . b . ";" . c, ";")

If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:

eval d=coalesce(a,b,c)

Are any of these what you are looking for?

Re: Consolidate fields at search time

Simeon — Thu, 29 Apr 2010 00:18:38 GMT

Eval command could do this:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Eval

... | eval field_d=field_a+field_b+field_c | fields field_d

Also, the nomv command might be helpful for your use case:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Nomv

Re: Consolidate fields at search time

Josh — Thu, 29 Apr 2010 00:45:18 GMT

eval d=coalesce(a,b,c)

This worked a treat, single value when a,b or c wcould be null (or missing)

Perfect thanks

Re: Consolidate fields at search time

gkanapathy — Thu, 29 Apr 2010 00:50:10 GMT

Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the | makemv command.

Re: Consolidate fields at search time

Lowell — Thu, 29 Apr 2010 01:31:43 GMT

Is there an advantage to using makemv vs using split() eval function? (Other than split() was introduced in 4.1)

Re: Consolidate fields at search time

gkanapathy — Thu, 29 Apr 2010 02:57:08 GMT

No, it's the same.

Re: Consolidate fields at search time

sideview — Thu, 29 Apr 2010 02:58:48 GMT

If your intention ultimately is to get statistics or data about each unique combination of a, b and c, then its easier to do things like "stats avg(foo) values(bar) by a, b, c".