- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that generates a list of IP addresses and usernames by time. I'd like to dedup the value of ip address + username. I cannot dedup just one (ip OR username) because the IP addresses get recycled and will get reassigned to another user.
Is it possible to combine my 2 fields (ip_address + username) to create a 3rd field that I can use for dedup purposes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could concatenate the fields together:
your search | eval new_field = field1."-".field2
"-" in this example is a separator -- you can use anything (or nothing) there. To just concat the fields do field1.field2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could concatenate the fields together:
your search | eval new_field = field1."-".field2
"-" in this example is a separator -- you can use anything (or nothing) there. To just concat the fields do field1.field2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks a lot. this is really useful. i've got exactly what i wanted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
many thanks for this tip
