Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

concat two fields into one

mmattek
Path Finder
‎09-14-2011 11:39 AM

ok, we have a field defined (user), and for another sourcetype I have the extracts already occurring for appUser and and appDomain.. so for this sourcetype I want user to be overriden as appUser@appDomain.

my guess would be index time? But I don't really care as long as it works.

Tags (2)
0 Karma
Reply

mmattek
Path Finder
‎09-14-2011 02:20 PM

looking at:
http://www.splunk.com/support/forum:SplunkGeneral/2684

it looks like maybe this isn't doable with extracted fields?

0 Karma
Reply

Ayn
Legend
‎09-14-2011 02:36 PM

Correct. Concatenating different values for one single field when doing extractions is possible with index-time extractions only.

Reply

Ayn
Legend
‎09-14-2011 01:20 PM

Quick and easy solution would be to use eval or strcat to concatenate the field values together. Like

<yourbasesearch> | eval user=appUser."@".appDomain

If you (or your users) don't want to have to specify that in every search though, you kind of can concatenate your appUser and appDomain values to the user field in props.conf and transforms.conf. The idea would be to take the regex for one of them then glue it together with the regex for the other using some generic matching regex between them, match both fields then combine them. NOTE: this can be done ONLY for index-time extractions. Concatenating fields together in this way does not work with search-time extractions. At search-time you'd have to use the eval solution.

In props.conf:

[yoursourcetype]
TRANSFORMS-user = extractuser

In transforms.conf:

[extractuser]
REGEX = (the appUser regex).+?(the appDomain regex)
FORMAT = user::$1@$2
Reply

Ayn
Legend
‎09-14-2011 02:33 PM

My bad - this cannot be done with search-time extractions, just at index-time, as described in transforms.conf.spec. You need TRANSFORMS instead of REPORT. Updating my answer to reflect that.

0 Karma
Reply

mmattek
Path Finder
‎09-14-2011 01:59 PM

thanks.. that is sort of working, but it isn't substituing correctly (just leaving $1@$2 for the field value). I suspect its because I'm trying to use SOURCE_KEY={another extracted field from a previous transform} I guess I have to regex from the overall raw log message?

0 Karma
Reply

Ayn
Legend
‎09-14-2011 12:54 PM

So when the user issues the search, the returned fields include "user", "appUser" and "appDomain"?

0 Karma
Reply

mmattek
Path Finder
‎09-14-2011 12:44 PM

I may not be making this clear.. there is already an extract for appUser and appDomain. We have a generic (more than this app) field called "user" and I want to concat these two fields with an "@" sign in the middle. I don't want the user to have to do this in every search (I don't really care if it is done at index time or not)

0 Karma
Reply

Ayn
Legend
‎09-14-2011 12:09 PM

How do you know which user corresponds to which appUser@appDomain?

0 Karma
Reply

bobbole7
New Member
‎09-14-2011 11:49 AM

Why not just use rename as?

0 Karma
Reply

mmattek
Path Finder
‎09-14-2011 12:36 PM

can I do that in props or something? I know I can do it in an individual search, but I need it done for everyone.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top