Solved: How to combine multiple fields?

zkenaga · ‎05-18-2017

I have multiple fields with the name name_zz_(more after this)

How would I be able to merge all of the like tests into one field?

kmorris_splunk · ‎05-18-2017

Take a look at this post:

kmorris_splunk · ‎05-18-2017

Take a look at this post:

somesoni2 · ‎05-18-2017

You want to merge values (concatenate values) OR each event will have single field but different name but you want to create a common name field?

zkenaga · ‎05-18-2017

I am looking to join all the names together and have them report as one name.

zkenaga · ‎05-18-2017

right now I have

name_zz_1
name_zz_2
name_zz_3

I would like to have those combined to just report as name_zz

somesoni2 · ‎05-18-2017

So basically, right now you've to do like this to see all values?

...some search | table ..some fields.. name_zz_1 name_zz_2 name_zz_3

and you want to do like

...some search | table ..some fields.. name_zz

Where name_zz will contain values of all 3 (or any number of fields) name_zz_N fields?

It's generally easier for us if you can post some sample values and corresponding expected output.

somesoni2 · ‎05-18-2017

If its the first case (multiple fields to be combined into one), try this

...some search.. | eval name_zz="" | foreach name_zz_* [| eval name_zz=coalesce('<<FIELD>>'.",","").name_zz] | fields - name_zz_*

How to combine multiple fields?