Re: SPL query

uagraw01 · ‎04-29-2022

Hello Splunkers,

How can i rename all the OrderNumber1, OrderNumber2, OrderNumber3 as OrderNumber. And Country1, Country2,Country4 as Country. I have attached the screenshot also.

Appreciated in advance

VatsalJagani · ‎04-29-2022

@uagraw01 - Use the solution given by @gcusello if you want to get one value out of all the fields.

If you want all values from those fields into a new multi-valued field, then you can try:

| eval Country = mvappend(Country1, Country2, ...)
| eval OrderNumber = mvappend(OrderNumber1, OrderNumber2, ...)

I hope this helps!!

gcusello · ‎04-29-2022

Hi @uagraw01 ,

if the field numbers is fixed, you can use coalesce option:

| eval OrderNumber=coalesce(OrderNumber1,OrderNumber2,OrderNumber3), country=coalesce(country1,country2,country3)

Ciao.

Giuseppe

uagraw01 · ‎04-29-2022

@gcusello I already tried this. But let me know is this a good approach ?

gcusello · ‎04-30-2022

Hi @uagraw01,

Yes, coalesce is very much used option.

Ciao.

Giuseppe

VatsalJagani · ‎04-29-2022

@uagraw01 - You can use the same formula as part of props.conf EVAL statement as well.

uagraw01 · ‎04-29-2022

@VatsalJagani I have some limitations here.

How can I rename items with SPL query?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!