Solved: Combine multiple comma separated fields into one f...

d12harshal · ‎07-11-2014

Combine 2 multiple comma separated field values into one field. Examples are mentioned below "table output" should be extracted from "table input".

Table input:
Field1 Field2 Field3 1 1,2,3 name (value1), name (value2), name(value3) 2 1,2,3 name (value1), name (value2), name(value3) 3 1,2,3 name (value1), name (value2), name(value3) 4 1,2,3,4 name (value1), name (value2), name(value3), name (value4)

Table output:
Field1 Field2 1 [1] name (value), [2] name (value), [3]name (value) 2 [1] name (value1), [2] name (value2), [3]name (value3) 3 [1] name (value1), [2] name (value2), [3]name (value3) 4 [1] name (value1), [2] name (value2), [3]name (value3), [4]name (value4)

Splunk event sample:
NETWORK::Temp."1" = "name (value1), name (value2), name(value3)" NETWORK::Temp."2" = "name (value1), name (value2), name(value3)" NETWORK::ID."1" = "1, 2, 3" NETWORK::ID."2" = "1, 2, 3"

somesoni2 · ‎07-11-2014

Try this

your base search giving Table input | eval Field2="[".replace(Field2,",","],[")."]"| makemv delim="," Field2 | makemv delim=", " Field3 | eval Field2=mvzip(Field2, Field3)  | nomv Field2

View solution in original post

somesoni2 · ‎07-11-2014

Try this

your base search giving Table input | eval Field2="[".replace(Field2,",","],[")."]"| makemv delim="," Field2 | makemv delim=", " Field3 | eval Field2=mvzip(Field2, Field3)  | nomv Field2

Combine multiple comma separated fields into one field

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

Are you a member of the Splunk Community?

Combine multiple comma separated fields into one field

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase