Solved: Combine fields into new field without NULL

arrowecssupport · ‎06-23-2016

From our data we end up with 2 different fields v7serial & v8serial. I want to be able to feed this into a single serial v78serial.

Example of data
v7serial
987654321

v8serial
123456789

v78serial
123456789
987654321

I am trying

| eval v78serial= toString(v8serial) + ";" + toString(v7serial)
| makemv delim=";" allserials
| mvexpand v78serial | table v78serial

The problem is when i display this data or try to use this field i get "123456789;null" this is because the data has either a v7 or v8 serial never both. So where one field is Null then don't add it to the new field.

somesoni2 · ‎06-23-2016

Try like this

your base search | eval v78serial=coalesce(v8serial,v7serial,"")  | table v78serial

View solution in original post

somesoni2 · ‎06-23-2016

Try like this

your base search | eval v78serial=coalesce(v8serial,v7serial,"")  | table v78serial

Combine fields into new field without NULL

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Combine fields into new field without NULL

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25