Solved: Combine a numerical field with a string field sepa...

subhrangshu · ‎08-19-2020

Hello,

I am trying to combine couple of fields data separated by a dash. Tried few options but could not get the expected output.

My query is:

index=test sourcetype="test-abc" ("enter start()")
| rename job_id as JOB_ID
| stats earliest(_time) AS Earliest by JOB_ID
| eval FirstEvent=strftime(Earliest,"%b %d, %Y %H:%M:%S")
| eval JOB_ID_STR=tostring(JOB_ID)
| eval JOB-ID-WITH-TIME=printf("%s%z", JOB_ID_STR,FirstEvent)

In the above query: JOB_ID is a numerical data of length 4 digit. FirstEvent is string of time format of that event.

Ex:

JOB_ID = 9000 and FirstEvent = Jul 07, 2020 04:56:43

Using the above query and with printf function, JOB-ID-WITH-TIME is returned as 9000Jul 07, 2020 04:56:43.

I want the output to be like 9000-Jul 07, 2020 04:56:43 (a dash between JOB_ID and FirstEvent).

How to do it?

Thanks in advance for your time!

diogofgm · ‎08-19-2020

You can just use eval for that:

JOB_ID = 9000 and FirstEvent = Jul 07, 2020 04:56:43

| eval job_with_time = JOB_ID + "-" + FirstEvent

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

diogofgm · ‎08-19-2020

You can just use eval for that:

JOB_ID = 9000 and FirstEvent = Jul 07, 2020 04:56:43

| eval job_with_time = JOB_ID + "-" + FirstEvent

------------
Hope I was able to help you. If so, some karma would be appreciated.

subhrangshu · ‎08-19-2020

Thanks for the prompt reply. I don't know, how I missed this. Thanks again 😃

Combine a numerical field with a string field separated with a dash

eval

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies