Solved: Combine multiple comma separated fields into one f...

d12harshal · ‎07-11-2014

Combine 2 multiple comma separated field values into one field. Examples are mentioned below "table output" should be extracted from "table input".

Table input:
Field1 Field2 Field3 1 1,2,3 name (value1), name (value2), name(value3) 2 1,2,3 name (value1), name (value2), name(value3) 3 1,2,3 name (value1), name (value2), name(value3) 4 1,2,3,4 name (value1), name (value2), name(value3), name (value4)

Table output:
Field1 Field2 1 [1] name (value), [2] name (value), [3]name (value) 2 [1] name (value1), [2] name (value2), [3]name (value3) 3 [1] name (value1), [2] name (value2), [3]name (value3) 4 [1] name (value1), [2] name (value2), [3]name (value3), [4]name (value4)

Splunk event sample:
NETWORK::Temp."1" = "name (value1), name (value2), name(value3)" NETWORK::Temp."2" = "name (value1), name (value2), name(value3)" NETWORK::ID."1" = "1, 2, 3" NETWORK::ID."2" = "1, 2, 3"

somesoni2 · ‎07-11-2014

Try this

your base search giving Table input | eval Field2="[".replace(Field2,",","],[")."]"| makemv delim="," Field2 | makemv delim=", " Field3 | eval Field2=mvzip(Field2, Field3)  | nomv Field2

View solution in original post

somesoni2 · ‎07-11-2014

Try this

your base search giving Table input | eval Field2="[".replace(Field2,",","],[")."]"| makemv delim="," Field2 | makemv delim=", " Field3 | eval Field2=mvzip(Field2, Field3)  | nomv Field2

Combine multiple comma separated fields into one field

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?