Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine duplicate fields in the same event into one field?

weznagwama
New Member
‎08-30-2015 05:38 PM

Hey Guys,

I have events that contains the same field, like so:

12/08/2015 1:03:03 PM Server="exchange" User="admin@domain.com" Identity="bigstring=" Cmdlet="Set-DistributionGroup" Param="-IgnoreNamingPolicy 'True'" Param="-Identity 'Distro Group'" Success="True" Error=""

So as you can see, my event has 2 param fields for the "set-distributionGroup' cmdlet.

I am wondering how to combine this field into one. Thanks!

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎09-01-2015 07:19 AM

If you logs have the format mentioned above (key-value pair), Splunk should've extracted a multivalued field Param already, which will contain both the Param values. Try running this and see if you can see both values under same field name.

your base search | table Param
0 Karma
Reply

krishnarajapant
Path Finder
‎08-30-2015 09:41 PM

Hi weznagwama,

I think you can use "makemv" command with "delim" by mentioning the seperator.

| makemv delim="-" Cmdlet | top Cmdlet

-Krishna Rajapantula

0 Karma
Reply

weznagwama
New Member
‎09-01-2015 09:25 PM

Hey mate, thanks for the reply, I've unfortuntaely got stuck on something else relating to powershell scripts running so can't test this yet....until I get the powershell script working. Will post back once I do.

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎08-30-2015 09:17 PM

if you are not getting two Params being field-extracted, you could use a rex and an eval

| rex field=_raw "Param=\"(?<p1>[^\"]*)\" Param=\"(?<p2>[^\"]*)\"" | eval param=p1.p2
0 Karma
Reply

weznagwama
New Member
‎08-30-2015 09:32 PM

Hey mate,

Thanks for the reply.

Let's assume an event has '4' seperate Params.

Is there a way to field extract to match all? Or would I just have to say regex 10 params, eval p1...p10, to catch up to 10 params?

The issue being that not all events have 2 params...some could have 1 or some could have 6. Thanks again.

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎08-30-2015 09:47 PM

If you don't know how many parameters you are going to have, you can have all the params extracted into a multi-value field called 'oneparam', and then use mvjoin to put them into a single parameter (called params). Each field will be separated by a space.

| rex max_match=0 field=_raw "Param=\"(?<oneparam>[^\"]*)\" | eval params=mvjoin(oneparam, " ")
0 Karma
Reply

weznagwama
New Member
‎09-01-2015 09:25 PM

Thanks for the reply, I've unfortunately gotten stuck on attempting to get a powershell script working (turns out it's quiet difficult.) Will post back once I get that going. Cheers.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...