Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to combine duplicate fields in the same event ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine duplicate fields in the same event into one field?
Hey Guys,
I have events that contains the same field, like so:
12/08/2015 1:03:03 PM Server="exchange" User="admin@domain.com" Identity="bigstring=" Cmdlet="Set-DistributionGroup" Param="-IgnoreNamingPolicy 'True'" Param="-Identity 'Distro Group'" Success="True" Error=""
So as you can see, my event has 2 param fields for the "set-distributionGroup' cmdlet.
I am wondering how to combine this field into one. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you logs have the format mentioned above (key-value pair), Splunk should've extracted a multivalued field Param already, which will contain both the Param values. Try running this and see if you can see both values under same field name.
your base search | table Param
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi weznagwama,
I think you can use "makemv" command with "delim" by mentioning the seperator.
| makemv delim="-" Cmdlet | top Cmdlet
-Krishna Rajapantula
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey mate, thanks for the reply, I've unfortuntaely got stuck on something else relating to powershell scripts running so can't test this yet....until I get the powershell script working. Will post back once I do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you are not getting two Params being field-extracted, you could use a rex and an eval
| rex field=_raw "Param=\"(?<p1>[^\"]*)\" Param=\"(?<p2>[^\"]*)\"" | eval param=p1.p2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey mate,
Thanks for the reply.
Let's assume an event has '4' seperate Params.
Is there a way to field extract to match all? Or would I just have to say regex 10 params, eval p1...p10, to catch up to 10 params?
The issue being that not all events have 2 params...some could have 1 or some could have 6. Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you don't know how many parameters you are going to have, you can have all the params extracted into a multi-value field called 'oneparam', and then use mvjoin to put them into a single parameter (called params). Each field will be separated by a space.
| rex max_match=0 field=_raw "Param=\"(?<oneparam>[^\"]*)\" | eval params=mvjoin(oneparam, " ")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply, I've unfortunately gotten stuck on attempting to get a powershell script working (turns out it's quiet difficult.) Will post back once I get that going. Cheers.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
