Solved: Re: How can I parse 2 columns with text format tog...

mklhs · ‎10-29-2019

I have 2 columns with text format (data 1 and data 2). One of the two columns is empty. I want to parse the 2 columns into a separate column together (data3).

P.S search | eval data3 = coalesce(data1, data2) it doesn't work

to4kawa · ‎11-29-2019

| makeresults
| eval _raw="time,\"data 1\",\"data 2\",\"data 3\"
2019-10-29 15:50:00.109+02:00,#user1#20191029155000#,
2019-10-29 15:51:00.109+02:00,,#user1#20191029155100#,
2019-10-29 15:52:00.109+02:00,#user1#20191029155200#,"
| multikv forceheader=1
| rename data_*_ as "data "*
| table time "data "*
`comment("this is sample data")`
| eval "data 3" = coalesce('data 1','data 2')

If you can describe the field name correctly, coalesce works.

View solution in original post

to4kawa · ‎11-29-2019

| makeresults
| eval _raw="time,\"data 1\",\"data 2\",\"data 3\"
2019-10-29 15:50:00.109+02:00,#user1#20191029155000#,
2019-10-29 15:51:00.109+02:00,,#user1#20191029155100#,
2019-10-29 15:52:00.109+02:00,#user1#20191029155200#,"
| multikv forceheader=1
| rename data_*_ as "data "*
| table time "data "*
`comment("this is sample data")`
| eval "data 3" = coalesce('data 1','data 2')

If you can describe the field name correctly, coalesce works.

HiroshiSatoh · ‎10-29-2019

Do I need to add it?

 | eval data3 = if(isnull(data1), data2,data1)

mklhs · ‎10-30-2019

Hello @HiroshiSatoh,

the column "data3" is empty. So, the column "data1" and "data2" were not parsed together. Do you know what it might be?

HiroshiSatoh · ‎10-30-2019

Is there a space in the field name?
If there is a space, please enclose it with a single quote.

data□1
↓
'data□1'

How can I parse 2 columns with text format together?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor