Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you join two fields with dedup?

splunker1981
Path Finder
‎02-08-2019 07:54 AM

Hello folks,

Trying to figure out how to go about joining 2 fields with a dash but only if they don't have the same values. Ideally, if there's a way to dynamically add the - only if 2 strings, that would cool!

string1 string2 string3
string10 string20 string20
string11 string100 string100

index=xyz sourcetype=zzz |table field1 field2 field3
    |eval joined = field2 + " - " + field3
|table field1 joined

Results desired for joined field

    string1 string2 - string3
    string10 string20
    string11 string100
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-08-2019 08:02 AM

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎02-08-2019 08:02 AM

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...