Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combine Dynamic Fields Starting with same value

DanielWick
New Member
‎01-04-2018 05:50 AM

So I have multiple fields whose field names could end with a different values. Examples of these fields are below:
foo.foo_a = 1
foo.foo_b = 2
foo.foo_123 = null
foo.foo_test = 4

What I want to do is combine all of these values into a single value.
Essentially, I want a new value like below
new_value= foo.foo_*
where new_value would then be equal to:
1
2
4

If anybody could help guide me on this, it would be greatly appreciated.

I was hoping that something like
stats list(foo.foo_*) by field
would have worked, but it doesn't provide the output that I am looking for, which is all of the fields combined into one.

0 Karma
Reply

somesoni2
Revered Legend
‎01-04-2018 07:26 AM

Give this a try. It , combines all foo.foo_* field values, concatenated by space, into field foo. If you want different delimiter, just update the 2nd expression in foreach-eval.

your current search with all foo.foo_* fields
| eval foo="" 
| foreach foo.foo_* [ eval foo=if(foo="",'<<FIELD>>',foo." ".'<<FIELD>>']
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...