Splunk Search

How do I concatenate two fields into a string?

brettgladys
Explorer

I have two fields, application and servletName. I'd like to have them as column names in a chart. I'm currently trying to use eval to make a new variable named fullName, and concatenate the values for application and servletName with a dash(-) in the middle. How do I do this?

Thanks, Brett

Tags (1)
1 Solution

brettgladys
Explorer

Well...a typo did it.

eval fullName=applicationName. "-" .servletName

Turns out that not putting the right name of a field causes the entire operation to return nada.

View solution in original post

chris
Motivator

This is a question that has many hits. I just wanted to point out that there is another possibility

<basesearch> | strcat field1 " some text: " field2 " more text: " field3 newField

This will concatenate fields and text to the new field 'newField'

strcat has the advantage that it will still create the new field if one of the fields that are concatenated are empty/missing

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/strcat

hoben
Engager

'strcat' works great for more than two fields as well. The 'allrequired=f' flag also allows you to concatenate the fields that exist and ignore those that don't. 

Example: 

| strcat allrequired=f email "|" uname "|" secondaryuname identity

The above will combine the three fields, 'email', 'uname', and 'secondaryuname' into the single field 'identity', delimitating by the pipe character. 

0 Karma

raghuramj
New Member

You can concatenate two fields using eval

ex: eval Full_Name= 'First Name'. " " .'Last Name'

0 Karma

simonverzijl
Engager

Excellent! This is what I needed to concatenate a tag to another string. Eval is not working for this, but this is :

| strcat host "(" tag::host ")" label
0 Karma

ftk
Motivator

You can use the eval search command for this.

Concatenate fieldA, a dash, and fieldB into newField:

| eval newField= fieldA."-".fieldB

bcronrath
Path Finder

Amazing, this is exactly what I've been looking for, ty!

0 Karma

brettgladys
Explorer

Well...a typo did it.

eval fullName=applicationName. "-" .servletName

Turns out that not putting the right name of a field causes the entire operation to return nada.

jkat54
SplunkTrust
SplunkTrust

I accepted this as the solution because it was the earliest one that mentioned eval with periods/dots for the concatenation which is the most common approach I've seen in the last 12 years since this answer was written.

Nice work!

I do believe the | strcat works too, but didnt check before writing this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...