Splunk Search

Create new field by combining 2 fields from same index.

onthakur
Engager

I got 2 fields from same splunk index
field1 have rows 1,2,3,4,5 and field2 have rows 10,12
I want new field3 with data from both field1 and field2.

Please suggest.

field1 field2
1 10
2 12
3  
4  
5  

 

field3
1
2
3
4
5
10
12
Labels (1)
0 Karma

dtburrows3
Builder

Notice that your requested output has more rows than the original input rows. To do this would require some sort of transformation, one way could to use an mvexpand method and would look something like this.

<base_search>
    | eval
        field3=mvappend(field1, field2)
    | fields + field3
    | mvexpand field3
    | sort 0 +field3

You can see in the screenshot that field3 is in your requested format

dtburrows3_0-1705598621738.png

Full SPL to replicate

| makeresults count=5
    | streamstats
        count as field1
    | eval
        field2=case(
            'field1'==1, 10,
            'field1'==2, 12,
            True(), null()
            )
    | fields - _time
    ``` mvexpand method ```
    | eval
        field3=mvappend(field1, field2)
    | mvexpand field3
    | sort 0 +field3


Another method would be append (subsearches can be truncated if you hit any splunk limits)
something like this

<base_search> field1=*
    | eval
        field3='field1'
    | fields + field3
    | append
        [
            | search <base_search> field2=*
                | eval
                    field3='field2'
                | fields + field3
            ]

dtburrows3_1-1705599099873.png

Full SPL to replicate

| makeresults count=5
    | streamstats
        count as field1
    | eval
        field2=case(
            'field1'==1, 10,
            'field1'==2, 12,
            True(), null()
            )
    | fields - _time
    | search field1=*
    | eval
        field3='field1'
    
    ``` append method ```
    | append
        [
            | makeresults count=5
                | streamstats
                    count as field1
                | eval
                    field2=case(
                        'field1'==1, 10,
                        'field1'==2, 12,
                        True(), null()
                        )
                | fields - _time
                | search field2=*
                | eval
                    field3='field2'
            ]


I bet there is also a slick way of using appendpipe command to achieve this as well.

<base_search>
    | appendpipe
        [
            | stats
                values(field2) as field2
            ]
    | eval
        field3=coalesce(field1, field2)
    | mvexpand field3

output looks like this

dtburrows3_2-1705599309233.png

Full SPL to replicate

| makeresults count=5
    | streamstats
        count as field1
    | eval
        field2=case(
            'field1'==1, 10,
            'field1'==2, 12,
            True(), null()
            )
    | fields - _time
    ``` appendpipe method ```
    | appendpipe
        [
            | stats
                values(field2) as field2
            ]
    | eval
        field3=coalesce(field1, field2)
    | mvexpand field3



0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...