topic Re: How can I combine a field value , if the other 3 field values are the same in Splunk Search

How can I combine a field value , if the other 3 field values are the same

Dayalss — Tue, 10 Sep 2024 13:13:56 GMT

Hi,

How can I combine a field value , if the other 3 field values are the same

Ex:- If the field1 , field2 , field3 are same but the field4 is different and its creating a new row in my splunk table,

I want to merge or combine the field4 values into one field value separated by commas if the field1 , field2 , field3 are same

Re: How can I combine a field value , if the other 3 field values are the same

ITWhisperer — Tue, 10 Sep 2024 13:48:45 GMT

Please give an example of your expected output for when the fields are the same and for when they are not the same.

Re: How can I combine a field value , if the other 3 field values are the same

gcusello — Tue, 10 Sep 2024 13:50:03 GMT

Hi @Dayalss ,

sorry but it isn't clear, could yuou share some sample of the normal condition (field1, field2 and field3 different), and the condition with field1, field2 and field3 the same?

Ciao.

Giuseppe

Re: How can I combine a field value , if the other 3 field values are the same

Dayalss — Tue, 10 Sep 2024 14:14:37 GMT

Hi,

My current data looks like

IP	Hostname	ID	Sockets
1.1.1.1.	Apple	100	404
1.1.1.1.	Apple	100	22
2.2.2.2.	Banana	99	404
3.3.3.3	Grapes	98	404

So only because for the 2nd row socket is 22 its creating another row , what I want is if the first 3 columns are same then it can merge the socket field value like

IP	Hostname	ID	Sockets
1.1.1.1.	Apple	100	404,22
2.2.2.2.	Banana	99	404
3.3.3.3	Grapes	98	404

Re: How can I combine a field value , if the other 3 field values are the same

ITWhisperer — Tue, 10 Sep 2024 14:18:47 GMT

| stats values(Sockets) as Sockets by IP Hostname ID | eval Sockets=mvjoin(Sockets, ",")

Re: How can I combine a field value , if the other 3 field values are the same

Dayalss — Tue, 10 Sep 2024 14:39:07 GMT

Hi ,

I have already tried this , but the issue is there are around 15+ fields which Im using in my complete table query at last.

I just want to merge only based on these 3 fields , but if I mention these fields in stats all other 12+ fields are getting empty values.

Is there a way only it can check for those 3 fields and does not impact other field values

Re: How can I combine a field value , if the other 3 field values are the same

ITWhisperer — Tue, 10 Sep 2024 15:58:09 GMT

Please provide a more complete representation of your data and your expected output - we can only work with what you show us.

Re: How can I combine a field value , if the other 3 field values are the same

dural_yyz — Tue, 10 Sep 2024 17:18:40 GMT

Take what was given previously and adjust with your additional fields you need carried through.

Original Suggestion

| stats values(Sockets) as Sockets by IP Hostname ID | eval Sockets=mvjoin(Sockets, ",")

Extended Suggestion

| stats values(x) as x, values(y) as y, values(Sockets) as Sockets by IP Hostname ID | eval Sockets=mvjoin(Sockets, ",") | table IP Hostname ID Sockets x y

Extend as many fields that you want to carry forward and the table is only required if you wish to control the display order of the fields, completely skip otherwise.