Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I combine a field value , if the other 3 field values are the same

Dayalss
Engager
‎09-10-2024 06:05 AM

Hi,


How can I combine a field value , if the other 3 field values are the same

Ex:- If the field1 , field2 , field3 are same but the field4 is different and its creating a new row in my splunk table,

I want to merge or combine the field4 values into one field value separated by commas if the field1 , field2 , field3 are same

 

0 Karma
Reply

Dayalss
Engager
‎09-10-2024 07:14 AM

Hi,

My current data looks like 

IPHostnameIDSockets
1.1.1.1.Apple100404
1.1.1.1.Apple10022
2.2.2.2.Banana99404
3.3.3.3Grapes98404


So only because for the 2nd row socket is 22 its creating another row , what I want is if the first 3 columns are same then it can merge the socket field value like

IPHostnameIDSockets
1.1.1.1.Apple100404,22
2.2.2.2.Banana99404
3.3.3.3Grapes98404
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 07:18 AM 
| stats values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",")
Reply

Dayalss
Engager
‎09-10-2024 07:39 AM

Hi ,

I have already tried this , but the issue is there are around 15+ fields which Im using in my complete table query  at last.

I just want to merge only based on these 3 fields , but if I mention these fields in stats all other 12+ fields are getting empty values.

Is there a way only it can check for those 3 fields and does not impact other field values

0 Karma
Reply

dural_yyz
Motivator
‎09-10-2024 10:18 AM

Take what was given previously and adjust with your additional fields you need carried through.

Original Suggestion

| stats values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",")

Extended Suggestion

| stats values(x) as x, values(y) as y, values(Sockets) as Sockets by IP Hostname ID
| eval Sockets=mvjoin(Sockets, ",")
| table IP Hostname ID Sockets x y

Extend as many fields that you want to carry forward and the table is only required if you wish to control the display order of the fields, completely skip otherwise.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 08:58 AM

Please provide a more complete representation of your data and your expected output - we can only work with what you show us.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-10-2024 06:50 AM

Hi @Dayalss ,

sorry but it isn't clear, could yuou share some sample of the normal condition (field1, field2 and field3 different), and the condition with field1, field2 and field3 the same?

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2024 06:48 AM

Please give an example of your expected output for when the fields are the same and for when they are not the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...