- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combining two fields with a constant string between
I am pulling two fields from a CSV based off of a field in live logs, then combining them into one field with a constant string in between them.
What I have tried thus far :
|eval field3=field1." - ".field2
|eval field3=field1 + " - " + field2
|eval field3=if(field1="", field1." - ".field2, "didnt work")
|eval field3=if(field1="", field1 + " - " + field2, "didnt work")
|eval field3=if(NOT (field1=""), field1." - ".field2, "didnt work")
|eval field3=if( NOT (field1=""), field1 + " - " + field2, "didnt work")
None of these work. Even with a fillnull before them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I faced this issue in recent past
To appraise if you are using above SPL with datamodel , I would suggest you use drop_dm_object_name("datamodel_name") before using eval condition
Example
| `drop_dm_object_name("datamodel_name")`
| eval field3= field1 + ";" + field2
| makemv delim=";" field3
Reference: https://answers.splunk.com/answers/49394/merge-two-fields-into-one-field.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There no datamodel, straight index and sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think what the underlying issue is that its coming from a CSV. I can get them to display individually, but when I try to combine them in the query... its a no-go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
|eval field3=mvappend(field1,field2)
|eval field3=mvjoin(field3,"-")
maybe, some fields has null.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This one had some rather unexpected results. "field1" repeated a random number of times, followed by the same number of "field2". The "-" seems to be at the front of every entry but the first.
A bit closer, things are showing up but still not quite -> "data - data"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the fields are multivalue.
First, you should convert them to single values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try field1 and field2 with a single quote
| makeresults
| eval field1="test",field2="test2"
| eval field3='field1'."-".'field2'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even though it was basically the first option that was attempted, I tried it with the single-quotes...
...to no avail.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please provide some samples of field1 and field2?
