Solved: How to combine multiple rows in a field to one row...

splunkerer · ‎05-19-2021

I have a data set as seen below.

exec arguments

/bin/sh

sh

-c

uname -p ** /dev/null

/sbin/ldconfig

/bin/sh

/sbin/ldconfig

-p

/bin/uname

uname

-m

as seen above sample data, some of the argument fields have 3 lines on them, some of them 2 or 5 etc. all of them are different.

I would like to get the following result

exec arguments
----------------------------------------
/bin/sh sh -c uname -p ** /dev/null
/sbin/ldconfig /bin/sh /sbin/ldconfig -p
/bin/uname uname -m

How can I get this result?
Thanks,

ITWhisperer · ‎05-20-2021

If arguments is a multi-value field, use

| eval arguments=mvjoin(arguments," ")

View solution in original post

ITWhisperer · ‎05-20-2021

If arguments is a multi-value field, use

| eval arguments=mvjoin(arguments," ")

splunkerer · ‎05-20-2021

wow, I spent 2 hours to resolve this. you are amazing! Thanks a bunch!

yuanliu · ‎05-19-2021

If the data is strictly formatted, you can use rex to simply collapse lines:

| rex field=arguments mode=sed "s/
/ /g"

e.g.,

| makeresults 
| eval exec = "/bin/sh", arguments = "sh
-c
uname -p ** /dev/null"
| rex field=arguments mode=sed "s/
/ /g"

gives

_time	arguments	exec
2021-05-20 06:33:07	sh -c uname -p ** /dev/null	/bin/sh

Without rex, the output is

_time

arguments

exec

2021-05-20 06:42:40

sh

-c

uname -p ** /dev/null

/bin/sh

splunkerer · ‎05-20-2021

Thanks for sharing your solution, but this did not work on my end.

How to combine multiple rows in a field to one row in the same field?

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to combine multiple rows in a field to one row in the same field?

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming