Re: Combine Dynamic Fields Starting with same valu...

DanielWick · ‎01-04-2018

So I have multiple fields whose field names could end with a different values. Examples of these fields are below:
foo.foo_a = 1
foo.foo_b = 2
foo.foo_123 = null
foo.foo_test = 4

What I want to do is combine all of these values into a single value.
Essentially, I want a new value like below
new_value= foo.foo_*
where new_value would then be equal to:
1
2
4

If anybody could help guide me on this, it would be greatly appreciated.

I was hoping that something like
stats list(foo.foo_*) by field
would have worked, but it doesn't provide the output that I am looking for, which is all of the fields combined into one.

somesoni2 · ‎01-04-2018

Give this a try. It , combines all foo.foo_* field values, concatenated by space, into field foo. If you want different delimiter, just update the 2nd expression in foreach-eval.

your current search with all foo.foo_* fields
| eval foo="" 
| foreach foo.foo_* [ eval foo=if(foo="",'<<FIELD>>',foo." ".'<<FIELD>>']

Combine Dynamic Fields Starting with same value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation