Solved: How do you join two fields with dedup?

splunker1981 · ‎02-08-2019

Hello folks,

Trying to figure out how to go about joining 2 fields with a dash but only if they don't have the same values. Ideally, if there's a way to dynamically add the - only if 2 strings, that would cool!

string1 string2 string3
string10 string20 string20
string11 string100 string100

index=xyz sourcetype=zzz |table field1 field2 field3
    |eval joined = field2 + " - " + field3
|table field1 joined

Results desired for joined field

    string1 string2 - string3
    string10 string20
    string11 string100

woodcock · ‎02-08-2019

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())

View solution in original post

woodcock · ‎02-08-2019

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())

How do you join two fields with dedup?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation