Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Consolidate fields at search time

Josh
Path Finder
‎04-28-2010 04:58 PM

How can I consolidate 2 or more fields into one new field at search time?

e.g. ...| fields a,b,c | d

In the above I would like d to hold all values in fields a,b,c so what I am doing is creating a new field called d out of the fields a,b and c. Is this possible?

Tags (1)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

Lowell
Super Champion
‎04-28-2010 05:14 PM

If you want them all concatenated, then you can do:

eval d=a.b.c

If you want a multi-value field, you could do something like this (assuming that you don't have ; in your values to begin with):

eval d=split(a . ";" . b . ";" . c, ";")

If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:

eval d=coalesce(a,b,c)

Are any of these what you are looking for?

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 05:50 PM

Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the | makemv command.

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-28-2010 07:58 PM

If your intention ultimately is to get statistics or data about each unique combination of a, b and c, then its easier to do things like "stats avg(foo) values(bar) by a, b, c".

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 05:50 PM

Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the | makemv command.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-28-2010 07:57 PM

No, it's the same.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎04-28-2010 06:31 PM

Is there an advantage to using makemv vs using split() eval function? (Other than split() was introduced in 4.1)

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎04-28-2010 05:18 PM

Eval command could do this:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Eval

... | eval field_d=field_a+field_b+field_c | fields field_d

Also, the nomv command might be helpful for your use case:

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Nomv

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎04-28-2010 05:14 PM

If you want them all concatenated, then you can do:

eval d=a.b.c

If you want a multi-value field, you could do something like this (assuming that you don't have ; in your values to begin with):

eval d=split(a . ";" . b . ";" . c, ";")

If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:

eval d=coalesce(a,b,c)

Are any of these what you are looking for?

Reply
Solved! Jump to solution

Josh
Path Finder
‎04-28-2010 05:45 PM

eval d=coalesce(a,b,c)

This worked a treat, single value when a,b or c wcould be null (or missing)

Perfect thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...