topic Re: How to concatenate two fields and display as one new field? in Splunk Search

How to concatenate two fields and display as one new field?

ulankford — Mon, 28 Sep 2020 18:41:22 GMT

I know this question has been asked numerous times but for some reason the solutions don't appear to work for me.
I want to display a field as Full_Name where the field is made up of two other fields that I have on hand, given & sn.
eval full_name = given." ".sn
eval full_name = given+" "sn

The above I have seen as solution but neither work for me.
eval full_name=given & eval full_name=sn both display their individual fields but when I try and combine them like above, nothing...

It may be with the way I am displaying the results which is by chart.
chart values(given), values(sn), latest(login_time), values(full_name) by user

Re: How to concatenate two fields and display as one new field?

dolivasoh — Fri, 16 Jan 2015 00:05:13 GMT

I have lots of issues when using values(), if ever I'm trying to only display a single result and not too concerned that the actual value will change, I tend to use latest() instead. Your eval looks correct though.

Re: How to concatenate two fields and display as one new field?

ulankford — Fri, 16 Jan 2015 00:33:49 GMT

Thanks for the tip. Unfortunately, using latest() instead of values() does not produce anything either.

Re: How to concatenate two fields and display as one new field?

eddit0r — Fri, 16 Jan 2015 02:27:38 GMT

Can you display the output from using eval full_name = given." ".sn ?

That should work.

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Eval

Re: How to concatenate two fields and display as one new field?

aweitzman — Fri, 16 Jan 2015 14:35:34 GMT

So this "run anywhere" example works for me:

| gentimes start=-1 
| eval data="[u1,given1,surname1] [u2,given2,surname2] [u3,given3,surname3]" 
| makemv delim=" " data 
| mvexpand data 
| rex field=data "\[(?<user>.*),(?<given>.*),(?<sn>.*)\]" 
| eval full_name=given." ".sn 
| chart values(given) values(sn) values(full_name) by user

Everything prior to the eval full_name clause is just to generate the proper data. (You can run just that part to see what the result is.) Once I have that, the eval followed by the chart (similar to the way you have it) works just fine.

Hopefully seeing this work will help you identify what's not going right with your search.

Re: How to concatenate two fields and display as one new field?

ulankford — Fri, 23 Jan 2015 05:10:01 GMT

Thanks for that.
My full query is the following.

index=linux_syslog netgroup=sap* process="sshd" "session opened for user" | rex field=_raw "session opened for user (?<user>.*) by" | lookup groupLookup user OUTPUTNEW gid posixgroup given sn | convert timeformat="%d/%m/%y" ctime(_time) as login_time | search posixgroup="groupname" | chart values(posixgroup), values(given), values(sn), latest(login_time) by user | rename user AS "User" | rename values(posixgroup) AS "Groups" | rename values(given) AS "Given Name" | rename values(sn) AS Surname | rename latest(login_time) AS "Last Login"

I think the reason this is not working is because the firstname (given) and the surname (sn) are being generated only by the lookup, not take from the actual log itself, therefore it fails.

Now unless there is some nifty way I can do this the only other way to get around this is to just export the data into the lookup

lookup groupLookup user OUTPUTNEW gid posixgroup given sn fullname

Re: How to concatenate two fields and display as one new field?

aweitzman — Fri, 23 Jan 2015 13:52:23 GMT

Well, for one thing you can get rid of your rename clauses at the end by putting the as bits directly in your chart command:

chart values(posixgroup) as "Groups" values(given) as "Given Name" values(sn) as Surname latest(login_time) as "Last Login" by user

Beyond that, the lookup should not be causing you any problems, really. What happens if you put the eval full_name=given." ".sn clause directly after the lookup clause, and then include values(full_name) as a field in your chart command? I'm running a similar search locally (pulling fields out of lookups and using them in concatenations), and it's working fine.