Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I combine a field value , if the other 3 field values are the same

Dayalss
Engager
‎09-10-2024 06:05 AM

Hi,


How can I combine a field value , if the other 3 field values are the same

Ex:- If the field1 , field2 , field3 are same but the field4 is different and its creating a new row in my splunk table,

I want to merge or combine the field4 values into one field value separated by commas if the field1 , field2 , field3 are same

 

0 Karma
Reply

Dayalss
Engager
‎09-10-2024 07:14 AM

Hi,

My current data looks like 

IPHostnameIDSockets
1.1.1.1.Apple100404
1.1.1.1.Apple10022
2.2.2.2.Banana99404
3.3.3.3Grapes98404


So only because for the 2nd row socket is 22 its creating another row , what I want is if the first 3 columns are same then it can merge the socket field value like

IPHostnameIDSockets
1.1.1.1.Apple100404,22
2.2.2.2.Banana99404
3.3.3.3Grapes98404
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 07:18 AM 
| stats values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",")
Reply

Dayalss
Engager
‎09-10-2024 07:39 AM

Hi ,

I have already tried this , but the issue is there are around 15+ fields which Im using in my complete table query  at last.

I just want to merge only based on these 3 fields , but if I mention these fields in stats all other 12+ fields are getting empty values.

Is there a way only it can check for those 3 fields and does not impact other field values

0 Karma
Reply

dural_yyz
Motivator
‎09-10-2024 10:18 AM

Take what was given previously and adjust with your additional fields you need carried through.

Original Suggestion

| stats values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",")

Extended Suggestion

| stats values(x) as x, values(y) as y, values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",")
| table IP Hostname ID Sockets x y

Extend as many fields that you want to carry forward and the table is only required if you wish to control the display order of the fields, completely skip otherwise.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 08:58 AM

Please provide a more complete representation of your data and your expected output - we can only work with what you show us.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-10-2024 06:50 AM

Hi @Dayalss ,

sorry but it isn't clear, could yuou share some sample of the normal condition (field1, field2 and field3 different), and the condition with field1, field2 and field3 the same?

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 06:48 AM

Please give an example of your expected output for when the fields are the same and for when they are not the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...