Solved: How do you join two fields with dedup?

splunker1981 · ‎02-08-2019

Hello folks,

Trying to figure out how to go about joining 2 fields with a dash but only if they don't have the same values. Ideally, if there's a way to dynamically add the - only if 2 strings, that would cool!

string1 string2 string3
string10 string20 string20
string11 string100 string100

index=xyz sourcetype=zzz |table field1 field2 field3
    |eval joined = field2 + " - " + field3
|table field1 joined

Results desired for joined field

    string1 string2 - string3
    string10 string20
    string11 string100

woodcock · ‎02-08-2019

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())

View solution in original post

woodcock · ‎02-08-2019

Like this:

 index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())

How do you join two fields with dedup?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation