https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89490#M182226 <P>use an eval to concatenate the fields, and in the case a field is missing, use a sed command to remove the extra separation commas.</P> <PRE> mysearch | fillnull value="" field1 field2 field3 | eval myfield=field1.",".field2.",".field3 | rex field=myfield mode=sed "s/([,]*)}/,/g" | table myfield </PRE> <P>remark : sed command not tested, please try or replace by some logic in the eval.</P> Mon, 15 Oct 2012 04:47:10 GMT yannK 2012-10-15T04:47:10Z https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89489#M182225 <P>Hi,</P> <P>I have three fields : </P> <P>field1 field2 field3<BR /> delhi<BR /> delhi<BR /> kol<BR /> delhi mumbai<BR /><BR /> delhi kol<BR /><BR /> mumbai kolkata andhra </P> <P>Output should be like : </P> <P>Final_Field<BR /> delhi<BR /> delhi<BR /> kol<BR /> delhi,mumbai<BR /> delhi,kol<BR /> mumbai,kolkata,andhra</P> <P>Please help !!</P> <P>Thanks</P> Sun, 14 Oct 2012 19:28:06 GMT https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89489#M182225 abhayneilam 2012-10-14T19:28:06Z https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89490#M182226 <P>use an eval to concatenate the fields, and in the case a field is missing, use a sed command to remove the extra separation commas.</P> <PRE> mysearch | fillnull value="" field1 field2 field3 | eval myfield=field1.",".field2.",".field3 | rex field=myfield mode=sed "s/([,]*)}/,/g" | table myfield </PRE> <P>remark : sed command not tested, please try or replace by some logic in the eval.</P> Mon, 15 Oct 2012 04:47:10 GMT https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89490#M182226 yannK 2012-10-15T04:47:10Z https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89491#M182227 <P>Thats what one would like to think, but if either of the fields is missing altogether, the eval fails.</P> <P>You'd have to use <CODE>fillnull</CODE> or similar first.</P> Mon, 15 Oct 2012 10:40:31 GMT https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89491#M182227 kristian_kolb 2012-10-15T10:40:31Z https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89492#M182228 <P>Thanks Kristian, the fillnull is required indeed, let me add it.</P> Mon, 15 Oct 2012 14:13:08 GMT https://community.splunk.com/t5/Splunk-Search/concatenating-more-than-one-field/m-p/89492#M182228 yannK 2012-10-15T14:13:08Z