Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you concatenate strings of two multi-va...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two multi-value fields, one contains addresses and the other contains the date and time an event occurred at said address. I am trying to collect both items of data into a single mv field. I cannot collect them with one extraction because the data between them is not necessary for the report.
Here are possible example values of the address and date in raw form and as how I am trying to concatenate them:
1.1.1.1 SQL Inactive 2017-08-15 13:02:58 -> 1.1.1.1 2017-08-15 13:02:58
2.2.2.2 ORA Inactive 2018-01-04 22:32:39 -> 2.2.2.2 2018-01-04 22:32:39
3.3.3.3:FAM Inactive 2018-01-04 22:32:39 -> 3.3.3.3 2018-01-04 22:32:39
4.4.4.4 Inactive 2018-02-24 03:55:18 -> 4.4.4.4 2018-02-24 03:55:18
0 Inactive 2018-02-24 03:55:18 -> 0 2018-02-24 03:55:18
FOO.BAR.COM Inactive 2018-02-24 03:55:18 -> FOO.BAR.COM 2018-02-24 03:55:18
The two fields are in bold and the final mv field is in italics.
I cannot seem to get the mv fields to concatenate in this way and was hoping I am just missing something. How would I go about this?
Thank you. -Peter
Edit
This works perfectly \/
eval ip_date=mvzip(address,date," ")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Peter,
Are those each events/row ? If they are two fields of same row then simple concatenation would work
eval my_concatenated_field=adress." ".date
if each row is a multi value field, then you can combine them using mvzip(adress,date," ")
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They are multi-valued field, so use eval-mvzip. (See @renjith.nair's comment for syntax OR this)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Peter,
Are those each events/row ? If they are two fields of same row then simple concatenation would work
eval my_concatenated_field=adress." ".date
if each row is a multi value field, then you can combine them using mvzip(adress,date," ")
What goes around comes around. If it helps, hit it with Karma 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
