Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining field names into one new result name

Grant007701
New Member
‎07-11-2018 03:03 AM

Hi,

I'm trying to combine results of varying operating systems into one, for example:

Microsoft Windows Server 2008
Microsoft Windows Server 2008r2
Microsoft Windows Server 2012

All to be listed as

Windows Server

Does anyone know I may do this? I tried this but wouldn't work:

...chart count(signature) by operating-system | eval sort_field=case(operating-system=="Microsoft Windows*",Windows Server)

Tags (1)
0 Karma
Reply

manish_singh_77
Builder
‎07-11-2018 04:33 AM

Hi,

You can also use field aliases in this case, refer the below link for more info and let me know if it works for you.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Addaliasestofields

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 03:36 AM

Three problems with your eval:

  1. operating-system would subtract system from operating - use single quotes to enclose non-standard field names.
  2. =="Microsoft Windows* looks for literal equality, use match() to allow regex-based matches.
  3. Windows Server should throw syntax errors, enclose strings in double quotes.
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 05:06 AM

See docs on match(), it only takes two parameters: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/ConditionalFunctions#match.28SUBJE...

0 Karma
Reply

Grant007701
New Member
‎07-11-2018 04:15 AM

Thanks for this.

Still struggling though, I have changed to the following:

...chart count(signature) by operating-system | eval sort_field=case('operating-system'=match('operating-system',"Microsoft*","Windows Server",0))

The arguments to the 'match' function are invalid.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...