Splunk Search

How do I concatenate two fields into a string?


I have two fields, application and servletName. I'd like to have them as column names in a chart. I'm currently trying to use eval to make a new variable named fullName, and concatenate the values for application and servletName with a dash(-) in the middle. How do I do this?

Thanks, Brett

Tags (1)


This is a question that has many hits. I just wanted to point out that there is another possibility

<basesearch> | strcat field1 " some text: " field2 " more text: " field3 newField

This will concatenate fields and text to the new field 'newField'

strcat has the advantage that it will still create the new field if one of the fields that are concatenated are empty/missing


New Member

You can concatenate two fields using eval

ex: eval Full_Name= 'First Name'. " " .'Last Name'

0 Karma


Excellent! This is what I needed to concatenate a tag to another string. Eval is not working for this, but this is :

| strcat host "(" tag::host ")" label
0 Karma


You can use the eval search command for this.

Concatenate fieldA, a dash, and fieldB into newField:

| eval newField= fieldA."-".fieldB

Path Finder

Amazing, this is exactly what I've been looking for, ty!

0 Karma


Well...a typo did it.

eval fullName=applicationName. "-" .servletName

Turns out that not putting the right name of a field causes the entire operation to return nada.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!