Solved: Combine multiple comma separated fields into one f...

d12harshal · ‎07-11-2014

Combine 2 multiple comma separated field values into one field. Examples are mentioned below "table output" should be extracted from "table input".

Table input:
Field1 Field2 Field3 1 1,2,3 name (value1), name (value2), name(value3) 2 1,2,3 name (value1), name (value2), name(value3) 3 1,2,3 name (value1), name (value2), name(value3) 4 1,2,3,4 name (value1), name (value2), name(value3), name (value4)

Table output:
Field1 Field2 1 [1] name (value), [2] name (value), [3]name (value) 2 [1] name (value1), [2] name (value2), [3]name (value3) 3 [1] name (value1), [2] name (value2), [3]name (value3) 4 [1] name (value1), [2] name (value2), [3]name (value3), [4]name (value4)

Splunk event sample:
NETWORK::Temp."1" = "name (value1), name (value2), name(value3)" NETWORK::Temp."2" = "name (value1), name (value2), name(value3)" NETWORK::ID."1" = "1, 2, 3" NETWORK::ID."2" = "1, 2, 3"

somesoni2 · ‎07-11-2014

Try this

your base search giving Table input | eval Field2="[".replace(Field2,",","],[")."]"| makemv delim="," Field2 | makemv delim=", " Field3 | eval Field2=mvzip(Field2, Field3)  | nomv Field2

View solution in original post

somesoni2 · ‎07-11-2014

Try this

your base search giving Table input | eval Field2="[".replace(Field2,",","],[")."]"| makemv delim="," Field2 | makemv delim=", " Field3 | eval Field2=mvzip(Field2, Field3)  | nomv Field2

Combine multiple comma separated fields into one field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation