Splunk Search

How do I go about merging two result values and renaming them?

leninkp3005
Explorer

Hi Folks,

I want to merge two result values in a single field, which have the same name and to also rename the result values.

Please anyone help me out.

for Merging ex:-
NAS Type: Count
======== =====
Ethernet\ 10
Ethernet 10
wireless 20
wireless\ 20

What I need as table:
NAS Type: Count
======== =====
Ethernet 10
wireless 20

For renaming result fields:
Status Count
====== =====
Compliance 10
Unknown 20

What I need as table:
Status Count
====== =====
Compliance 10
Non-Compliance 20

Cheers,
Lenin Kp

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

An easy way to combine two fields is with concatenation and eval. Something like this:

.. | eval "NAS Type: Count" = 'NAS Type:'." ".'Count'
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

An easy way to combine two fields is with concatenation and eval. Something like this:

.. | eval "NAS Type: Count" = 'NAS Type:'." ".'Count'
---
If this reply helps you, Karma would be appreciated.
0 Karma

adonio
Ultra Champion

kindly share the search providing the results you mention so we can better assist you

0 Karma

leninkp3005
Explorer

Hello Adonio,
Apologies for delay response!!
This is not a big query it's very common query.

I used below query:

"" index="cisco" sourcetype="cisco:ise:syslog" NAS_Port_Type!=NULL | timechart count by NAS_Port_Type |sort -_time ""

This query given the result which is written in my question .
NAS Type: Count
======== =====
Ethernet\ 10
Ethernet 10
wireless 20
wireless\ 20

What I need as table:
NAS Type: Count
======== =====
Ethernet 10
wireless 20

Cheers,
Lenin Kp

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@leninkp3005

Can you please try this?

YOUR_SEARCH | rex mode=sed field=NAS_Port_Type "s/\\\//g" | dedup NAS_Port_Type

Thanks

0 Karma

leninkp3005
Explorer

Thanks., it works

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...