Splunk Search

Clarification on Combining values of two fields

Jananee_iNautix
Explorer

Hi,

There are two columns named Filename and Directory and I want to combine the values of the above said fields and display it as a single field.

Filename Directory File

abc /tmp/op /tmp/op abc

Method 1:
I used mvappend command to combine like eval File=mvappend(Directory,Filename) ,the result is as follows

Filename Directory File

abc /tmp/op /tmp/op
abc

dxr /tmp/in /tmp/in
dxr

Method 2:

I used eval File=Directory."".Filename .the result is as follows

Filename Directory File

abc /tmp/op /tmp/op abc

dxr /tmp/in /tmp/in dxr

Can you tell the reason on why mvappend command display the two values one below the other on combining also which method is efficient to use among the two methods mentioned above

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Jananee_iNautix,

Method 1 creates a new multivalued field containing /tmp/op and abc as value.
Method 2 creates a new singlevalued field containing /tmp/op abc as value.

Take this run everywhere example and see that in my_count the values is 2 as there are two values in the field my where as in field yours the count is only 1 value

index=_internal | head 1 | eval foo="1" | eval boo="2" | eval my=mvappend(foo, boo) | eval yours=foo." ".boo | eval my_count=mvcount(my) | eval yours_count=mvcount(yours) | table foo boo my my_count yours yours_count

hope this helps ...

cheers, MuS

MuS
SplunkTrust
SplunkTrust

No, this depends on your use case and what you further do with the new field. You can test it very easy: run both searches and compare the run times in the job inspector.

0 Karma

Jananee_iNautix
Explorer

Can you tell which among the two methods is efficient?

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...