Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Consolidate fields at search time

Josh
Path Finder
‎04-28-2010 04:58 PM

How can I consolidate 2 or more fields into one new field at search time?

e.g. ...| fields a,b,c | d

In the above I would like d to hold all values in fields a,b,c so what I am doing is creating a new field called d out of the fields a,b and c. Is this possible?

Tags (1)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

Lowell
Super Champion
‎04-28-2010 05:14 PM

If you want them all concatenated, then you can do:

eval d=a.b.c

If you want a multi-value field, you could do something like this (assuming that you don't have ; in your values to begin with):

eval d=split(a . ";" . b . ";" . c, ";")

If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:

eval d=coalesce(a,b,c)

Are any of these what you are looking for?

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 05:50 PM

Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the | makemv command.

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-28-2010 07:58 PM

If your intention ultimately is to get statistics or data about each unique combination of a, b and c, then its easier to do things like "stats avg(foo) values(bar) by a, b, c".

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 05:50 PM

Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the | makemv command.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 07:57 PM

No, it's the same.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎04-28-2010 06:31 PM

Is there an advantage to using makemv vs using split() eval function? (Other than split() was introduced in 4.1)

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎04-28-2010 05:18 PM

Eval command could do this:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Eval

... | eval field_d=field_a+field_b+field_c | fields field_d

Also, the nomv command might be helpful for your use case:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Nomv

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎04-28-2010 05:14 PM

If you want them all concatenated, then you can do:

eval d=a.b.c

If you want a multi-value field, you could do something like this (assuming that you don't have ; in your values to begin with):

eval d=split(a . ";" . b . ";" . c, ";")

If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:

eval d=coalesce(a,b,c)

Are any of these what you are looking for?

Reply
Solved! Jump to solution

Josh
Path Finder
‎04-28-2010 05:45 PM

eval d=coalesce(a,b,c)

This worked a treat, single value when a,b or c wcould be null (or missing)

Perfect thanks

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...