Getting Data In

concat two fields into one

Path Finder

ok, we have a field defined (user), and for another sourcetype I have the extracts already occurring for appUser and and appDomain.. so for this sourcetype I want user to be overriden as appUser@appDomain.

my guess would be index time? But I don't really care as long as it works.

Tags (2)
0 Karma

Path Finder

looking at:
http://www.splunk.com/support/forum:SplunkGeneral/2684

it looks like maybe this isn't doable with extracted fields?

0 Karma

Legend

Correct. Concatenating different values for one single field when doing extractions is possible with index-time extractions only.

Legend

Quick and easy solution would be to use eval or strcat to concatenate the field values together. Like

<yourbasesearch> | eval user=appUser."@".appDomain

If you (or your users) don't want to have to specify that in every search though, you kind of can concatenate your appUser and appDomain values to the user field in props.conf and transforms.conf. The idea would be to take the regex for one of them then glue it together with the regex for the other using some generic matching regex between them, match both fields then combine them. NOTE: this can be done ONLY for index-time extractions. Concatenating fields together in this way does not work with search-time extractions. At search-time you'd have to use the eval solution.

In props.conf:

[yoursourcetype]
TRANSFORMS-user = extractuser

In transforms.conf:

[extractuser]
REGEX = (the appUser regex).+?(the appDomain regex)
FORMAT = user::$1@$2

Legend

My bad - this cannot be done with search-time extractions, just at index-time, as described in transforms.conf.spec. You need TRANSFORMS instead of REPORT. Updating my answer to reflect that.

0 Karma

Path Finder

thanks.. that is sort of working, but it isn't substituing correctly (just leaving $1@$2 for the field value). I suspect its because I'm trying to use SOURCE_KEY={another extracted field from a previous transform} I guess I have to regex from the overall raw log message?

0 Karma

Legend

So when the user issues the search, the returned fields include "user", "appUser" and "appDomain"?

0 Karma

Path Finder

I may not be making this clear.. there is already an extract for appUser and appDomain. We have a generic (more than this app) field called "user" and I want to concat these two fields with an "@" sign in the middle. I don't want the user to have to do this in every search (I don't really care if it is done at index time or not)

0 Karma

Legend

How do you know which user corresponds to which appUser@appDomain?

0 Karma

New Member

Why not just use rename as?

0 Karma

Path Finder

can I do that in props or something? I know I can do it in an individual search, but I need it done for everyone.

0 Karma