Solved: How can I create a third field based on unique com...

cmontonen · ‎05-06-2015

Hello all,
I am really new to Splunk and cannot for the life of me figure this one out.
Unfortunately, Googling around for answers has not been helpful.

I have records which contain two important fields initiator_country and responder_country.
I am interested in observing records with rare combinations of the two fields.
There are 3 possible values for initiator_country and responder_country, so 9 total combinations.
I would like to create a 3rd field for each record indicating which initiator_country - responder_country
combination the record belongs to, but I am not really sure where I should start.

Thank you very much!

woodcock · ‎05-06-2015

Is this what you mean?

... | eval newField = initiator_country . "-" . responder_country

View solution in original post

woodcock · ‎05-06-2015

Is this what you mean?

... | eval newField = initiator_country . "-" . responder_country

cmontonen · ‎05-06-2015

Wow! Thank you very much!
I just tested it and it worked!

How can I create a third field based on unique combinations of two other fields

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How can I create a third field based on unique combinations of two other fields

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!