https://community.splunk.com/t5/Splunk-Search/Iist-IPs-from-different-columns/m-p/361588#M165182 <P>Thanks. This is I am looking for.</P> Tue, 14 Nov 2017 16:31:09 GMT splunkrocks2014 2017-11-14T16:31:09Z https://community.splunk.com/t5/Splunk-Search/Iist-IPs-from-different-columns/m-p/361586#M165180 <P>Is it an easy way to list IP's from different columns into one? For instance,</P> <PRE><CODE>header ip1 ip2 ip3 ------- ------- -------- -------- record1 1.1.1.1 2.2.2.2 3.3.3.3 record2 4.4.4.4 5.5.5.5 6.6.6.6 </CODE></PRE> <P>The end result looks like the following:</P> <PRE><CODE> header ip ---------- ----------- record1 1.1.1.1 2.2.2.2 3.3.3.3 record2 4.4.4.4 5.5.5.5 6.6.6.6 </CODE></PRE> <P>Here is my search query:</P> <PRE><CODE>| makeresults | eval header="record1", ip1="1.1.1.1", ip2="2.2.2.2", ip3="3.3.3.3" | append [| makeresults | eval header="record2", ip1="4.4.4.4", ip2="5.5.5.5", ip3="6.6.6.6"] | fields - _time | eval ip=ip1+"|" + ip2+"|"+ip3 | fields - ip1 ip2 ip3 | makemv delim="|" ip </CODE></PRE> <P>It works as expected, but it seems cumbersome. Is there a better way to achieve the same result? Thanks. </P> Tue, 14 Nov 2017 15:29:37 GMT https://community.splunk.com/t5/Splunk-Search/Iist-IPs-from-different-columns/m-p/361586#M165180 splunkrocks2014 2017-11-14T15:29:37Z https://community.splunk.com/t5/Splunk-Search/Iist-IPs-from-different-columns/m-p/361587#M165181 <P>There are two easy ways. </P> <P>First, if the event is a record that has been extracted and has a <CODE>_raw</CODE> field...</P> <PRE><CODE>| makeresults | eval _raw="header=\"record1\", ip1=\"1.1.1.1\", ip2=\"2.2.2.2\", ip3=\"3.3.3.3\"" | append [| makeresults | eval _raw="header=\"record2\", ip1=\"4.4.4.4\", ip2=\"5.5.5.5\", ip3=\"6.6.6.6\""] | rex field=_raw "(?&lt;myIP&gt;\d+\.\d+\.\d+\.\d+)(\D|$)" max_match=0 </CODE></PRE> <P>Second, if the above is not the case...</P> <PRE><CODE>| makeresults | eval header="record1", ip1="1.1.1.1", ip2="2.2.2.2", ip3="3.3.3.3" | append [| makeresults | eval header="record2", ip1="4.4.4.4", ip2="5.5.5.5", ip3="6.6.6.6"] | fields - _time | streamstats count as recno | untable recno fieldname fieldvalue | regex fieldvalue="^\d+\.\d+\.\d+\.\d+$" | stats list(fieldvalue) as myIP by recno </CODE></PRE> Tue, 14 Nov 2017 15:55:54 GMT https://community.splunk.com/t5/Splunk-Search/Iist-IPs-from-different-columns/m-p/361587#M165181 DalJeanis 2017-11-14T15:55:54Z https://community.splunk.com/t5/Splunk-Search/Iist-IPs-from-different-columns/m-p/361588#M165182 <P>Thanks. This is I am looking for.</P> Tue, 14 Nov 2017 16:31:09 GMT https://community.splunk.com/t5/Splunk-Search/Iist-IPs-from-different-columns/m-p/361588#M165182 splunkrocks2014 2017-11-14T16:31:09Z