Solved: How to Combine multiple rows into comma separated ...

ibob0304 · ‎05-17-2017

Is it possible to combine multiple rows into one row ?

COLUMN
frow1
frow2
frow3

to something like

COLUMN
frow1,frow2,frow3

Mvcombine combined all the rows to one row but they are not comma separated.
|mvcombine delim="," COLUMN

somesoni2 · ‎05-17-2017

Try like this

your current search giving field COLUMN
| stats list(COLUMN) as COLUMN delim="," | nomv COLUMN

View solution in original post

ibob0304 · ‎05-17-2017

 |mvcombine delim="," COLUMN|   eval MYROW=mvjoin(COLUMN, ", ")

somesoni2 · ‎05-17-2017

Try like this

your current search giving field COLUMN
| stats list(COLUMN) as COLUMN delim="," | nomv COLUMN

anooshac · ‎05-24-2021

Hi,

I have a similar problem. I want to assign all the values to a token.

<condition label="All">
<set token="Tok_all">"All the values should be should be assigned here"</set>

</condition>

also the values should be delimited with double quotes. (eg: "a","b","c")I tried a lot and i am not able to reach to the solution. do you have any solution for this?

Simon1Dugdale1 · ‎05-17-2017

| eval COLUMN = frow1.", ".".frow2.", ".frow3

Using eval and a '.' is one way.

| strcat frow1 ", " frow2 ", " frow3 COLUMN

Using stringcat is another.

How to Combine multiple rows into comma separated single row ?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies