topic Clarification on Combining values of two fields in Splunk Search

Clarification on Combining values of two fields

Jananee_iNautix — Tue, 06 May 2014 07:00:04 GMT

Hi,

There are two columns named Filename and Directory and I want to combine the values of the above said fields and display it as a single field.

Filename Directory File

abc /tmp/op /tmp/op abc

Method 1:
I used mvappend command to combine like eval File=mvappend(Directory,Filename) ,the result is as follows

Filename Directory File

abc /tmp/op /tmp/op
abc

dxr /tmp/in /tmp/in
dxr

Method 2:

I used eval File=Directory."".Filename .the result is as follows

Filename Directory File

abc /tmp/op /tmp/op abc

dxr /tmp/in /tmp/in dxr

Can you tell the reason on why mvappend command display the two values one below the other on combining also which method is efficient to use among the two methods mentioned above

Re: Clarification on Combining values of two fields

MuS — Tue, 06 May 2014 07:13:53 GMT

Hi Jananee_iNautix,

Method 1 creates a new multivalued field containing /tmp/op and abc as value.
Method 2 creates a new singlevalued field containing /tmp/op abc as value.

Take this run everywhere example and see that in my_count the values is 2 as there are two values in the field my where as in field yours the count is only 1 value

index=_internal | head 1 | eval foo="1" | eval boo="2" | eval my=mvappend(foo, boo) | eval yours=foo." ".boo | eval my_count=mvcount(my) | eval yours_count=mvcount(yours) | table foo boo my my_count yours yours_count

hope this helps ...

cheers, MuS

Re: Clarification on Combining values of two fields

Jananee_iNautix — Tue, 06 May 2014 13:36:06 GMT

Can you tell which among the two methods is efficient?

Re: Clarification on Combining values of two fields

MuS — Tue, 06 May 2014 13:39:32 GMT

No, this depends on your use case and what you further do with the new field. You can test it very easy: run both searches and compare the run times in the job inspector.