Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How i can merge two value in one field output

hrs2019
Path Finder
‎02-04-2020 05:27 AM

Hi All,

How i can merge two row value in one field. i am trying with case but i am not getting the output.
alt text

fields.png
Preview file
9 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎02-04-2020 05:56 AM 
| makeresults 
| eval _raw="product_name,dev,dev1,test,prod
INFO,yes,yes,no,yes
Apple,yes,,yes,yes
Apple1,,yes,," 
| multikv forceheader=1 
| table product_name,dev,dev1,test,prod
| eval matchseg=replace(product_name,"\d+","")
| stats values(*) as * by matchseg
| rename matchseg as product_name
| table product_name,dev,dev1,test,prod
0 Karma
Reply

to4kawa
Ultra Champion
‎02-04-2020 05:38 AM

apple = apple1?
What are the conditions for joining?

0 Karma
Reply

hrs2019
Path Finder
‎02-04-2020 05:40 AM

Hi @to4kawa
all the dev1 info for Apple1 will display in Apple . i cant show two apple so i am display in one field ie- Apple.

0 Karma
Reply

hrs2019
Path Finder
‎02-04-2020 08:00 AM

Hi @to4kawa

This value is not fixed time to time this value is chaining in that condition this ll not work.

yes to No and No to yes it changing so i need dynamic solution

0 Karma
Reply

to4kawa
Ultra Champion
‎02-04-2020 02:06 PM

What are the conditions for joining?
This value is not fixed time to time
I see. Which should be remain?
faster? later? Name has digit? non-digit?
I don't know.

0 Karma
Reply

vnravikumar
Champion
‎02-04-2020 08:32 AM

in addition to @to4kawa solution, check this

| makeresults 
| eval _raw="product_name,dev,dev1,test,prod
 INFO,yes,yes,no,yes
 Apple,yes,,yes,yes
 Apple1,,yes,," 
| multikv forceheader=1 
| table product_name,dev,dev1,test,prod 
| eval matchseg=replace(product_name,"\d+","") 
| streamstats count 
| stats values(*) as * by matchseg 
| mvexpand count 
| stats max(count) as count by matchseg,dev,dev1,test,prod 
| rename matchseg as product_name 
| sort count
| table product_name,dev,dev1,test,prod
0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...
Top