Solved: How do you join two fields with dedup?

splunker1981 · ‎02-08-2019

Hello folks,

Trying to figure out how to go about joining 2 fields with a dash but only if they don't have the same values. Ideally, if there's a way to dynamically add the - only if 2 strings, that would cool!

string1 string2 string3
string10 string20 string20
string11 string100 string100

index=xyz sourcetype=zzz |table field1 field2 field3
    |eval joined = field2 + " - " + field3
|table field1 joined

Results desired for joined field

    string1 string2 - string3
    string10 string20
    string11 string100

woodcock · ‎02-08-2019

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())

View solution in original post

woodcock · ‎02-08-2019

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())

How do you join two fields with dedup?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

How do you join two fields with dedup?

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk