How do I edit my search to merge fields?

kiran331 · ‎06-07-2016

Hi all,

I'm trying to merge fields. I need to have each value separately, but here I can see a group value as string. How can resolve this?

index=abc|rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"|search (PORT=* OR TCP_PORT=* OR UDP_PORT=* )| eval pn=(toString(PORT) + ";" + toString(TCP_PORT) + ";" + toString(UDP_PORT) )| makemv delim=";" pn|mvexpand pn| table _time pn

Result:

2016-06-03 16:13:01.940 22
2016-06-03 16:13:01.940 22 514 5520 8000

What I need is:

2016-06-03 16:13:01.940 22
2016-06-03 16:13:01.940 22
2016-06-03 16:13:01.940    514 
2016-06-03 16:13:01.940     5520
2016-06-03 16:13:01.940     8000

515, 5520, 8000 belongs to same event of field TCP

woodcock · ‎06-07-2016

Try this:

index=abc
| rex max_match=0 "UDP_PORT=(?\d+)|TCP_PORT=(?\d+)"
| search (PORT=* OR TCP_PORT=* OR UDP_PORT=* )
| mvexpand UDP_PORT
| mvexpand TCP_PORT
| eval pn =            if(isnotnull(PORT),         PORT, ";")
| eval pn = pn . ";" . if(isnotnull(TCP_PORT), TCP_PORT, ";")
| eval pn = pn . ";" . if(isnotnull(UDP_PORT), UDP_PORT, ";")
| table _time pn
| makemv delim=";" pn | mvexpand pn

How do I edit my search to merge fields?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

How do I edit my search to merge fields?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console