Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How i can merge two value in one field output

hrs2019
Path Finder
‎02-04-2020 05:27 AM

Hi All,

How i can merge two row value in one field. i am trying with case but i am not getting the output.
alt text

fields.png
Preview file
9 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎02-04-2020 05:56 AM 
| makeresults 
| eval _raw="product_name,dev,dev1,test,prod
INFO,yes,yes,no,yes
Apple,yes,,yes,yes
Apple1,,yes,," 
| multikv forceheader=1 
| table product_name,dev,dev1,test,prod
| eval matchseg=replace(product_name,"\d+","")
| stats values(*) as * by matchseg
| rename matchseg as product_name
| table product_name,dev,dev1,test,prod
0 Karma
Reply

to4kawa
Ultra Champion
‎02-04-2020 05:38 AM

apple = apple1?
What are the conditions for joining?

0 Karma
Reply

hrs2019
Path Finder
‎02-04-2020 05:40 AM

Hi @to4kawa
all the dev1 info for Apple1 will display in Apple . i cant show two apple so i am display in one field ie- Apple.

0 Karma
Reply

hrs2019
Path Finder
‎02-04-2020 08:00 AM

Hi @to4kawa

This value is not fixed time to time this value is chaining in that condition this ll not work.

yes to No and No to yes it changing so i need dynamic solution

0 Karma
Reply

to4kawa
Ultra Champion
‎02-04-2020 02:06 PM

What are the conditions for joining?
This value is not fixed time to time
I see. Which should be remain?
faster? later? Name has digit? non-digit?
I don't know.

0 Karma
Reply

vnravikumar
Champion
‎02-04-2020 08:32 AM

in addition to @to4kawa solution, check this

| makeresults 
| eval _raw="product_name,dev,dev1,test,prod
 INFO,yes,yes,no,yes
 Apple,yes,,yes,yes
 Apple1,,yes,," 
| multikv forceheader=1 
| table product_name,dev,dev1,test,prod 
| eval matchseg=replace(product_name,"\d+","") 
| streamstats count 
| stats values(*) as * by matchseg 
| mvexpand count 
| stats max(count) as count by matchseg,dev,dev1,test,prod 
| rename matchseg as product_name 
| sort count
| table product_name,dev,dev1,test,prod
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top