topic Re: how do i combine multiple fields in to a single field?? in Splunk Search

how do i combine multiple fields in to a single field??

rakesh_498115 — Sun, 07 Jul 2013 18:32:44 GMT

hi..

I have four fields say A,B,C,D..All these are multivalued fields .. i.e for a single event they can be multiple values in these fields..how can i join them in to a single field ??

used eval MyFiled=(A+B+C+D) like this .. but this is not working...can any one pls help

Re: how do i combine multiple fields in to a single field??

okrabbe_splunk — Sun, 07 Jul 2013 20:34:51 GMT

If you are trying to join multi value fields together you should look into using mvzip. You would have to call it multiple times because mvzip only works on two fields at a time.

The description of eval functions is located here:

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/CommonEvalFunctions

Re: how do i combine multiple fields in to a single field??

rakesh_498115 — Mon, 08 Jul 2013 07:12:54 GMT

yeah..thanks orkrabbe_splunk even i found this..but since mvzip has only two fields..i thought ther could be something else to figure this..:)

Re: how do i combine multiple fields in to a single field??

rakesh_498115 — Mon, 08 Jul 2013 08:29:55 GMT

small issue here..say i am getting one event. and in that single event i dnt have values for A and have mutliple values for B. in this case i used fillnull to fill the value of "A" as "NA". Since i am getting one event as ouput. A is having only one value "N/A" where as B field having multiple fields... so in this case when i use mvzip(A,B) ..its is only showing me one value .

say for single event output . B has values 1 ,2 , 3, 4 as multiple values.. A has no data to extract ..so used to fillnull to fill A as "N/A" .. now A is having the value ="N/A"

now mvzip(A,B) is resulting as N/A,1

Re: how do i combine multiple fields in to a single field??

rakesh_498115 — Mon, 08 Jul 2013 08:31:16 GMT

[cont..]

and it is missing all the other values of B i.e 2,3 and 4. Can you please tell a way in which i can fillnull all the values of A to be "N/A" . if there is no data to extract for A. thanks

Re: how do i combine multiple fields in to a single field??

linu1988 — Mon, 08 Jul 2013 10:15:55 GMT

Could you try table A,B then mvexpand B? Then try with mvzip.

Re: how do i combine multiple fields in to a single field??

okrabbe_splunk — Mon, 08 Jul 2013 12:56:03 GMT

Linu1988 has the right idea. Try that and let us know how it works.

Re: how do i combine multiple fields in to a single field??

rakesh_498115 — Wed, 10 Jul 2013 17:18:27 GMT

Hi Linu1988..i tried that.but it didnt wrk 😞

Re: how do i combine multiple fields in to a single field??

okrabbe_splunk — Wed, 10 Jul 2013 17:36:21 GMT

Rakesh, could you share maybe a sample of your data and the search string you are using now?

Re: how do i combine multiple fields in to a single field??

wpreston — Wed, 10 Jul 2013 19:32:20 GMT

My suggestion would be to use mvappend and mvjoin to create the fields you need. Perhaps something like this?

...your search | fillnull value="N/A" A 
               | eval TempField=mvappend(B, " ", C) 
               | eval TempField=mvappend(TempField, " ", D) 
               | eval TempField=mvappend(A, " ", TempField)
               | eval FinalField=mvjoin(TempField, " ")
               | ...rest of your commands

Then use whatever you set for FinalField in your reports, and just ignore TempField. It's a bit roundabout, but I think it will do the trick.

Note: I can't post comments to answers from my workplace for some reason, so I'll have to respond to any by editing the original post.

Re: how do i combine multiple fields in to a single field??

srinathd — Tue, 11 Nov 2014 19:05:46 GMT

Hi Rakesh, Did you get the answer for this. I am facing the same issue. please let me know. Thanks

Re: how do i combine multiple fields in to a single field??

kamlesh_vaghela — Sun, 23 Sep 2018 15:20:32 GMT

@rakesh_498115

Try this:

| makeresults 
| eval A="A,B,C",B="D,E,F",C="G,H,I",D="X,Y,Z",E=nulll 
| foreach * 
    [ eval "<<FIELD>>"=split(<<FIELD>>,",") ] 
| eval multivalued_field=mvappend(A,B,C,D),singlevalued_field=mvjoin(multivalued_field,",")