topic Re: How to combine two fields into one field? in Splunk Search

How to combine two fields into one field?

marisstella — Fri, 12 Jul 2019 12:26:01 GMT

Hello everyone,
I have created some fields but now I want to combine the fields, Ex: I have created fields like A B C now I want to create a new field which combine two fields.. EX D= A+B or D=A+B+C
Can any one help me on this?

Re: How to combine two fields into one field?

richgalloway — Fri, 12 Jul 2019 13:07:24 GMT

If by "combine" you mean concatenate then you use the concatenation operator within an eval statement.

... | eval D = A . B . C

will create a field 'D' containing the values from fields A, B, C strung together (D=ABC). You can add text between the elements if you like:

... | eval D = A . "+" . B . "=" . C

Re: How to combine two fields into one field?

marisstella — Fri, 12 Jul 2019 13:18:37 GMT

Hello richgalloway,
Thanks for your reply, I have tried that like eval report=A . "-" .B
It is working and behaving report as a new field but we can't run the SPL query every time.. So I'm planing to create a new field which combines the two fields which I have created and working successfully.....
When I run the SPL Query, eval repor= duration. "-" .action it combines these two fields...
So they can see how much time was taken to complete the action... is there a way to add two fields and make them as third field???

Re: How to combine two fields into one field?

FrankVl — Fri, 12 Jul 2019 13:29:14 GMT

Yes, just define a calculated field with that same eval expression in it.

In the GUI under Settings -> Fields -> Calculated Fields. Or directly in props.conf under the respective sourcetype: EVAL-report = A . "-" .B

Re: How to combine two fields into one field?

marisstella — Fri, 12 Jul 2019 14:12:23 GMT

Okay, but one question?
EVAL-report =A . "-" .B
So here, the A and B are name of the fields or regular expression of the A and B fields?

Re: How to combine two fields into one field?

FrankVl — Fri, 12 Jul 2019 14:14:30 GMT

The names of those fields (assuming you already have extractions defined for those fields).

Re: How to combine two fields into one field?

marisstella — Fri, 12 Jul 2019 14:28:36 GMT

Yes, I have created fields already.. In settings>fields>calculatedfields> selected sourcetype after that it is asking eval expression..

Re: How to combine two fields into one field?

marisstella — Fri, 12 Jul 2019 14:35:10 GMT

I have given name
Eval Expresion = EVAL-report = timeendpos. "-" .timestartpos

then it gave this error: Encountered the following error while trying to save: In handler 'props-eval': Operator types incompatible

Re: How to combine two fields into one field?

FrankVl — Fri, 12 Jul 2019 14:39:45 GMT

If you're creating the calculated field through the GUI, you just need the eval expression itself, not the EVAL-report = bit. So just enter timeendpos. "-" .timestartpos

Re: How to combine two fields into one field?

marisstella — Sat, 13 Jul 2019 04:47:04 GMT

Hiiii, it didn't work.. Any suggestions?

Re: How to combine two fields into one field?

FrankVl — Sun, 14 Jul 2019 08:38:26 GMT

Can you create a screenshot of the calculated field settings? Upload it to some imagehost and share the url here.

Re: How to combine two fields into one field?

marisstella — Sun, 14 Jul 2019 08:54:35 GMT

Hi FrankVI, thank you so much for your reply.. I should complete this by Monday morning..
here are the requested URL's
https://ibb.co/R6ZX1Rs
https://ibb.co/ZVV6dZk

Re: How to combine two fields into one field?

FrankVl — Sun, 14 Jul 2019 08:59:53 GMT

Can you also open the calculated fields to see how you configured it?

Also: from what I can see from your search screenshot, the 2 events with an MTP value do not have a Duration value. So then of course the calculation fails.

Re: How to combine two fields into one field?

marisstella — Sun, 14 Jul 2019 09:24:41 GMT

Here Duration and MTP both are completely different eachother..
my query is to merge these two fields by creating new field...
here MTP means action and Duration means time..
if I merge these fields, the client will get know "ACtion completed by 55 sec" by clicking on single field....

https://ibb.co/hBG9NMt

Re: How to combine two fields into one field?

FrankVl — Sun, 14 Jul 2019 10:07:25 GMT

Config as provided in the comments looks fine, but if those fields are not together in 1 event, there is no way this will work using calculated fields. You will need to write a search query that combines the related events somehow, to get that information together.

If you need help with that, I suggest you create a new question, with proper detailed explanation of what you are trying to achieve.

Re: How to combine two fields into one field?

marisstella — Mon, 15 Jul 2019 05:43:44 GMT

Hii, it didn't work...
I want to create new field by combining existing field...

Re: How to combine two fields into one field?

FrankVl — Mon, 15 Jul 2019 07:10:29 GMT

See my answer below, and stop just kicking your question without adding any new information. As explained: what you want is impossible with calculated fields. You cannot combine fields from 2 separate events like that.