https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105220#M183206 <P>OK, thanks. That was helpful. However, when I have multiple values in the Signature_Name field, I get no values when I try to concatenate into the Event_Detail field.</P> <P>Here is my search string:</P> <P>sourcetype="incident"| sort +Severity | lookup geoip clientip as SourceIP_Address| lookup subnetlookup ip as SourceIP_Address OUTPUT subnet_name AS location | eval <BR /> client_country=replace(client_country," ","") | strcat client_city ", " client_region " " client_country mylocation | eval final_location=if(mylocation==", ",location,mylocation) | rex field=final_location "(?<SIP_REGION>.<EM>) (?<SIP_COUNTRY>.</SIP_COUNTRY></EM>)" | eval Event_Detail=Signature_Name+ ";" +Vendor_Signature+ ";" +Incident_Detail_URL+ ";" +Analyst_Assessment | table CreateTimeStamp_GMT Data_Source Reference_Number SourceIP_Address SIP_Region SIP_Country Severity Incident_Category Incident_Classification Event_Detail | outputcsv SymantecReport.csv</SIP_REGION></P> Mon, 28 Sep 2020 10:04:00 GMT efelder0 2020-09-28T10:04:00Z https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105217#M183203 <P>I have four fields: Signature_Name, Vendor_Signature, Incident_Detail_URL, Analyst_Assessment that I need to concatenate into one field (single string) called 'Event Detail'. Additionally, I need to append a semi-colon at the end of each field. How can this be done? </P> Mon, 28 Sep 2020 10:03:50 GMT https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105217#M183203 efelder0 2020-09-28T10:03:50Z https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105218#M183204 <PRE><CODE>| eval Event_Detail=Signature_Name+";"+Vendor_Signature+";"+Incident_Detail_URL+";"+Analyst_Assessment+";" </CODE></PRE> Mon, 07 Nov 2011 16:16:27 GMT https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105218#M183204 bbingham 2011-11-07T16:16:27Z https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105219#M183205 <P>Use <CODE>eval</CODE>:</P> <PRE><CODE>... | eval Event_Detail= Signature_Name.";".Vendor_Signature.";".Incident_Detail_URL.";".Analyst_Assessment </CODE></PRE> Mon, 07 Nov 2011 16:24:56 GMT https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105219#M183205 Ayn 2011-11-07T16:24:56Z https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105220#M183206 <P>OK, thanks. That was helpful. However, when I have multiple values in the Signature_Name field, I get no values when I try to concatenate into the Event_Detail field.</P> <P>Here is my search string:</P> <P>sourcetype="incident"| sort +Severity | lookup geoip clientip as SourceIP_Address| lookup subnetlookup ip as SourceIP_Address OUTPUT subnet_name AS location | eval <BR /> client_country=replace(client_country," ","") | strcat client_city ", " client_region " " client_country mylocation | eval final_location=if(mylocation==", ",location,mylocation) | rex field=final_location "(?<SIP_REGION>.<EM>) (?<SIP_COUNTRY>.</SIP_COUNTRY></EM>)" | eval Event_Detail=Signature_Name+ ";" +Vendor_Signature+ ";" +Incident_Detail_URL+ ";" +Analyst_Assessment | table CreateTimeStamp_GMT Data_Source Reference_Number SourceIP_Address SIP_Region SIP_Country Severity Incident_Category Incident_Classification Event_Detail | outputcsv SymantecReport.csv</SIP_REGION></P> Mon, 28 Sep 2020 10:04:00 GMT https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105220#M183206 efelder0 2020-09-28T10:04:00Z https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105221#M183207 <P>Did you ever figure this out? "No values" when there are multiple values in the field.</P> Thu, 03 Nov 2016 16:38:13 GMT https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105221#M183207 leonphelps_s 2016-11-03T16:38:13Z https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105222#M183208 <P>for the issue with MV fields and concatenation, you can always use mvjoin first to get all of the Signature Names comma separated (or any other delim)</P> <P>sourcetype="incident"| sort +Severity | lookup geoip clientip as SourceIP_Address| lookup subnetlookup ip as SourceIP_Address OUTPUT subnet_name AS location | eval <BR /> client_country=replace(client_country," ","") | strcat client_city ", " client_region " " client_country mylocation | eval final_location=if(mylocation==", ",location,mylocation) | rex field=final_location "(?.) (?.)" <BR /> | eval Signature_Name=mvjoin(Signature_Name,", ")<BR /> | eval Event_Detail=Signature_Name+ ";" +Vendor_Signature+ ";" +Incident_Detail_URL+ ";" +Analyst_Assessment | table CreateTimeStamp_GMT Data_Source Reference_Number SourceIP_Address SIP_Region SIP_Country Severity Incident_Category Incident_Classification Event_Detail | outputcsv SymantecReport.csv</P> Tue, 29 Sep 2020 11:40:33 GMT https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105222#M183208 cmerriman 2020-09-29T11:40:33Z https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105223#M183209 <P>My issue ended up being a command ordering issue. Inadvertently had the eval command before the mv</P> Thu, 03 Nov 2016 18:07:33 GMT https://community.splunk.com/t5/Splunk-Search/Concatenate-fields-into-a-single-string/m-p/105223#M183209 leonphelps_s 2016-11-03T18:07:33Z