Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I concatenate a single field's value acros...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jeskandarian
Engager
10-15-2015
04:24 PM
Search:
index=exp eventName="business:SelfServ-ChangeTrip" ChangeBookingEventType=ChangeBookingPayloadChunk hotelChangePayloadId="24c51841-8188-448b-9f4a-26f978ae4af9"
| sort chunkSequence
| fields payload
Results:
date payload
XXXX String 1-
XXXX String 2-
I'd like the result to be:
date payload
XXXX String 1-String 2-
Obviously I don't care about the date, but I can't seem to get rid of it with fields -_* without messing up the entire search.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-15-2015
05:24 PM
Do something like this
index=exp eventName="business:SelfServ-ChangeTrip" ChangeBookingEventType=ChangeBookingPayloadChunk hotelChangePayloadId="24c51841-8188-448b-9f4a-26f978ae4af9"
| sort chunkSequence | stats list(payload) as payload | nomv payload
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-15-2015
05:24 PM
Do something like this
index=exp eventName="business:SelfServ-ChangeTrip" ChangeBookingEventType=ChangeBookingPayloadChunk hotelChangePayloadId="24c51841-8188-448b-9f4a-26f978ae4af9"
| sort chunkSequence | stats list(payload) as payload | nomv payload
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jeskandarian
Engager
10-21-2015
10:52 AM
This worked great except when the payload field contains a comma. When it runs into a comma the resulting string gets truncated. I imagine I can do something to "list(payload)" but not sure.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-22-2015
06:37 AM
Works for me:
|noop|stats count as field|eval field="a,b,c,d,e" | makemv delim="," field | rex field=field mode=sed "s/c/c,/" | nomv field
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
