Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Consolidate fields at search time

Josh
Path Finder
‎04-28-2010 04:58 PM

How can I consolidate 2 or more fields into one new field at search time?

e.g. ...| fields a,b,c | d

In the above I would like d to hold all values in fields a,b,c so what I am doing is creating a new field called d out of the fields a,b and c. Is this possible?

Tags (1)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

Lowell
Super Champion
‎04-28-2010 05:14 PM

If you want them all concatenated, then you can do:

eval d=a.b.c

If you want a multi-value field, you could do something like this (assuming that you don't have ; in your values to begin with):

eval d=split(a . ";" . b . ";" . c, ";")

If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:

eval d=coalesce(a,b,c)

Are any of these what you are looking for?

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 05:50 PM

Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the | makemv command.

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-28-2010 07:58 PM

If your intention ultimately is to get statistics or data about each unique combination of a, b and c, then its easier to do things like "stats avg(foo) values(bar) by a, b, c".

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 05:50 PM

Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the | makemv command.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 07:57 PM

No, it's the same.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎04-28-2010 06:31 PM

Is there an advantage to using makemv vs using split() eval function? (Other than split() was introduced in 4.1)

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎04-28-2010 05:18 PM

Eval command could do this:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Eval

... | eval field_d=field_a+field_b+field_c | fields field_d

Also, the nomv command might be helpful for your use case:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Nomv

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎04-28-2010 05:14 PM

If you want them all concatenated, then you can do:

eval d=a.b.c

If you want a multi-value field, you could do something like this (assuming that you don't have ; in your values to begin with):

eval d=split(a . ";" . b . ";" . c, ";")

If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:

eval d=coalesce(a,b,c)

Are any of these what you are looking for?

Reply
Solved! Jump to solution

Josh
Path Finder
‎04-28-2010 05:45 PM

eval d=coalesce(a,b,c)

This worked a treat, single value when a,b or c wcould be null (or missing)

Perfect thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...