Getting Data In

How to combine duplicate fields in the same event into one field?

weznagwama
New Member

Hey Guys,

I have events that contains the same field, like so:

12/08/2015 1:03:03 PM Server="exchange" User="admin@domain.com" Identity="bigstring=" Cmdlet="Set-DistributionGroup" Param="-IgnoreNamingPolicy 'True'" Param="-Identity 'Distro Group'" Success="True" Error=""

So as you can see, my event has 2 param fields for the "set-distributionGroup' cmdlet.

I am wondering how to combine this field into one. Thanks!

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you logs have the format mentioned above (key-value pair), Splunk should've extracted a multivalued field Param already, which will contain both the Param values. Try running this and see if you can see both values under same field name.

your base search | table Param
0 Karma

krishnarajapant
Path Finder

Hi weznagwama,

I think you can use "makemv" command with "delim" by mentioning the seperator.

| makemv delim="-" Cmdlet | top Cmdlet

-Krishna Rajapantula

0 Karma

weznagwama
New Member

Hey mate, thanks for the reply, I've unfortuntaely got stuck on something else relating to powershell scripts running so can't test this yet....until I get the powershell script working. Will post back once I do.

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

if you are not getting two Params being field-extracted, you could use a rex and an eval

| rex field=_raw "Param=\"(?<p1>[^\"]*)\" Param=\"(?<p2>[^\"]*)\"" | eval param=p1.p2
0 Karma

weznagwama
New Member

Hey mate,

Thanks for the reply.

Let's assume an event has '4' seperate Params.

Is there a way to field extract to match all? Or would I just have to say regex 10 params, eval p1...p10, to catch up to 10 params?

The issue being that not all events have 2 params...some could have 1 or some could have 6. Thanks again.

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

If you don't know how many parameters you are going to have, you can have all the params extracted into a multi-value field called 'oneparam', and then use mvjoin to put them into a single parameter (called params). Each field will be separated by a space.

| rex max_match=0 field=_raw "Param=\"(?<oneparam>[^\"]*)\" | eval params=mvjoin(oneparam, " ")
0 Karma

weznagwama
New Member

Thanks for the reply, I've unfortunately gotten stuck on attempting to get a powershell script working (turns out it's quiet difficult.) Will post back once I get that going. Cheers.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...