topic Re: How to display two field values in a single table column? in Splunk Search

How to display two field values in a single table column?

JohnSwansson — Mon, 27 Jul 2015 08:04:00 GMT

I have the following search:

index=cashflow host=atm source=income OR source=outcome | eval accountStatus="Income: " + transactionIncome + " and Outcome: " + transactionOutcome | table accountStatus

I have validated that | table transactionIncome transactionOutcome works, meaning that I see the values of each field in separate columns, but it does not work combining them in a single column called accountStatus as the query would. Why is this? I am also not able to do a column with the sum of [ transactionIncome + transactionOutcome ]. What have I not understood?

EDIT: Okay so apparently you can't add the value of a field from one event with the value of a field in another event. How would one go about this? transactionIncome and transactionOutcome are generated from different sources and are not within the same event.

Re: How to display two field values in a single table column?

krishnarajapant — Mon, 27 Jul 2015 13:57:26 GMT

Hi,

You can add the columns using "addcoltotals" and "addtotals" commands.

Also I tried with below and it is working fine for me. In my example code and bytes are two different fields.

sourcetype=* | eval x= code + bytes | table code bytes x | fieldformat x= "Total:".x

-Krishna Rajapantula

Re: How to display two field values in a single table column?

pradeepkumarg — Mon, 27 Jul 2015 14:15:42 GMT

Concatenation operator between two strings in splunk is . and not +

 index=cashflow host=atm source=income OR source=outcome | eval accountStatus="Income: ".transactionIncome." and Outcome: ".transactionOutcome | table accountStatus

Re: How to display two field values in a single table column?

JohnSwansson — Mon, 27 Jul 2015 14:38:45 GMT

Still doesn't work, when running eval accountStatus="Income: ".transactionIncome." and Outcome: ".transactionOutcome i get:

Nothing. accountStatus is empty.

When running: eval accountStatus="Income: ".transactionIncome I get:

Income: 100

When running eval accountStatus=" and Outcome: ".transactionOutcome I get:

and Outcome: 200

... but within the same row and within the same "string of text" it will not show up.

Re: How to display two field values in a single table column?

somesoni2 — Mon, 27 Jul 2015 14:52:38 GMT

Do you have any common field/value that can be used to combine two events?? OR if they always appear in a particular order which can be used?

Re: How to display two field values in a single table column?

JohnSwansson — Mon, 27 Jul 2015 15:19:12 GMT

They both share the same host!

Re: How to display two field values in a single table column?

somesoni2 — Mon, 27 Jul 2015 19:23:59 GMT

If you query gives you only two events, one with transactionIncome and other with transactionOutcome, then try something like this

index=cashflow host=atm source=income OR source=outcome | stats values(transactionIncome) as transactionIncome values(transactionOutcome) as transactionOutcome by host | eval accountStatus="Income: " + transactionIncome + " and Outcome: " + transactionOutcome | table accountStatus

Update
Try this

 index=cashflow host=atm source=income OR source=outcome | eval transactionIncome=coalesce(transactionIncome,null()) | eval transactionOutcome=coalesce(transactionOutcome,null())| stats values(transactionIncome) as transactionIncome values(transactionOutcome) as transactionOutcome by host | eval accountStatus="Income: " + transactionIncome + " and Outcome: " + transactionOutcome | table accountStatus

Re: How to display two field values in a single table column?

JohnSwansson — Mon, 27 Jul 2015 20:07:57 GMT

Sorry, no, same result as before. It works only with transactionIncome or transactionOutcome, never both at the same time...