How do I edit my search to merge fields?

kiran331 · ‎06-07-2016

Hi all,

I'm trying to merge fields. I need to have each value separately, but here I can see a group value as string. How can resolve this?

index=abc|rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=* )| eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT) )| makemv delim=";" pn|mvexpand pn| table _time pn

Result:

2016-06-03 16:13:01.940 22
2016-06-03 16:13:01.940 22 514 5520 8000

What I need is:

2016-06-03 16:13:01.940 22
2016-06-03 16:13:01.940 22
2016-06-03 16:13:01.940    514 
2016-06-03 16:13:01.940     5520
2016-06-03 16:13:01.940     8000

515, 5520, 8000 belongs to same event of field TCP

woodcock · ‎06-07-2016

Try this:

index=abc
| rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"
| search (PORT=* OR TCP_PORT=* OR UDP_PORT=* )
| mvexpand UDP_PORT
| mvexpand TCP_PORT
| eval pn =            if(isnotnull(PORT),         PORT, ";")
| eval pn = pn . ";" . if(isnotnull(TCP_PORT), TCP_PORT, ";")
| eval pn = pn . ";" . if(isnotnull(UDP_PORT), UDP_PORT, ";")
| table _time pn
| makemv delim=";" pn | mvexpand pn

How do I edit my search to merge fields?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How do I edit my search to merge fields?

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard