Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine 3 Fields with Same ID

Hppjet
Path Finder
‎03-03-2018 10:35 AM

I have 3 fields that will contain the same user IDs and I would like to merge them into 1. They each have a sum value they represent but the 3 fields are just a different role.

If the events look like
Day 1 Pounds=20,field1=A,field2=B,field3=C
Day 2 Pounds=50,field1=C,field2=A,field3=B
Day 3 Pounds =60,field1=B,field2=R,field3=A

Is it possible to combine the 3 so if field1 = A field2 = A field3 = A then the sum(Pounds)=130

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-04-2018 09:10 AM

Are you looking to do this for only a single value at once? I'm trying to imagine taking the above events and producing a table that makes sense. For a single userID (such as "A"), I can envision a search that looks for all events where field1=A OR field2=A OR field3=A and then summing the pounds. No problem.

If you want the sum for every possible userID, I'd expect the solution to involve something like this:

your current search
| eval id=mvappend (field1, field2, field3)
| mvexpand id
| stats sum(pounds) AS total BY id

Given the data in you post, this would result in a table like this:

id  | total
A   | 130
B   | 130
C   | 70
R   | 60

Does that fit your specs?

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎03-04-2018 09:10 AM

Are you looking to do this for only a single value at once? I'm trying to imagine taking the above events and producing a table that makes sense. For a single userID (such as "A"), I can envision a search that looks for all events where field1=A OR field2=A OR field3=A and then summing the pounds. No problem.

If you want the sum for every possible userID, I'd expect the solution to involve something like this:

your current search
| eval id=mvappend (field1, field2, field3)
| mvexpand id
| stats sum(pounds) AS total BY id

Given the data in you post, this would result in a table like this:

id  | total
A   | 130
B   | 130
C   | 70
R   | 60

Does that fit your specs?

Reply
Solved! Jump to solution

Hppjet
Path Finder
‎03-05-2018 04:03 AM

Thank you!!! Yes, it worked perfectly. I wanted to be able to sum for every possible userID. This made my week.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-04-2018 10:21 AM

@elliotproebstel, mvexpand id is not required.

Following is the run anywhere search based on sample data

| makeresults
| eval data="Day 1 Pounds=20,field1=A,field2=B,field3=C;Day 2 Pounds=50,field1=C,field2=A,field3=B;Day 3 Pounds =60,field1=B,field2=R,field3=A"
| makemv data delim=";" 
| mvexpand data
| rename data as _raw
| KV
| eval id=mvappend (field1, field2, field3)
| stats sum(Pounds) as Pounds by id
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎03-04-2018 10:27 AM

Good to know, thanks!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-04-2018 06:48 AM

You're looking for the function coalesce. It will work like this

| eval new_field=coalesce(fieldA,fieldB,fieldC)

This will take fieldA, fieldB ,fieldC and combine their values into new_field

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎03-04-2018 08:58 AM

No, coalesce will assign to new_field the first non-null value it encounters in the list of fields supplied as arguments. So in the sample code, new_field would always contain the value of fieldA.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...