https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114365#M30235 <P>That is perfect. Thank you!</P> Sun, 22 Jun 2014 00:47:57 GMT skottieb 2014-06-22T00:47:57Z https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114361#M30231 <P>Hi,<BR /> I'm trying to take filds from different events and put them in one table column. I've true this using the rename command, however, only the first rename files as SocialMediaPost it matched.</P> <PRE><CODE>index="mail" (text!='' OR status!='' OR comment_text!='' OR message!='') | rename text as SocialPostData status as SocialPostData comment_text as SocialPostData message as SocialPostData | table URL User SocialPostData </CODE></PRE> <P>Any help, much appreciated!</P> <P>Scott-</P> Sat, 21 Jun 2014 02:44:30 GMT https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114361#M30231 skottieb 2014-06-21T02:44:30Z https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114362#M30232 <P>What output are you getting now, and what does your desired output look like?</P> Sat, 21 Jun 2014 09:19:09 GMT https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114362#M30232 martin_mueller 2014-06-21T09:19:09Z https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114363#M30233 <P>Now - 4 column of data.</P> <HR /> <H2>text status comment_text message</H2> <P>It's+all+good.<BR /><BR /> This.%20Is.%20Awesome%21%21<BR /><BR /> please%20do%20tell%2C%20soon!<BR /><BR /> more%20random<BR /><BR /> tweeted<BR /><BR /> tweeteed<BR /><BR /> Test%20mobile%0A<BR /><BR /> this%20is%20comment%20data<BR /><BR /> tweeter<BR /><BR /> missing </P> <H2>Want this consolidated to 1.</H2> <H2>data</H2> <P>It's+all+good.<BR /> This.%20Is.%20Awesome%21%21<BR /> please%20do%20tell%2C%20soon!<BR /> more%20random<BR /> tweeted<BR /> tweeteed<BR /> Test%20mobile%0A<BR /> this%20is%20comment%20data<BR /> tweeter</P> Sat, 21 Jun 2014 13:29:22 GMT https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114363#M30233 skottieb 2014-06-21T13:29:22Z https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114364#M30234 <P>Hmm... you might be looking for this:</P> <PRE><CODE>... | eval data = coalesce(text, status, comment_text, message) | fields - text status comment_text message </CODE></PRE> <P>That will take the first value that isn't <CODE>null</CODE> and write it into the <CODE>data</CODE> field.</P> Sat, 21 Jun 2014 14:18:07 GMT https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114364#M30234 martin_mueller 2014-06-21T14:18:07Z https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114365#M30235 <P>That is perfect. Thank you!</P> Sun, 22 Jun 2014 00:47:57 GMT https://community.splunk.com/t5/Splunk-Search/Merge-event-field-into-single-table-column/m-p/114365#M30235 skottieb 2014-06-22T00:47:57Z