Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine similar values into one table column

aristidiskantas
Engager
‎06-15-2022 01:04 AM

Hello everyone, 

I am having two events with different sourcetypes that have similar fields with similar values however not the same.

I have found a way to combine the fields by using coalesce, however I would like to combine the values as well in order to get a clear result

I am running this search :

 

index="main" category="Foo" OR sourcetype="foo" 
| iplocation ip_address 
| eval severity_level = coalesce(severity, foo_severity)
| geostats count by severity_level

 


and I am having the following results. 

 

| longitude | latitude | HIGH | High | MEDIUM | Medium | LOW | Low |
|  143.2104 | -33.494  |  39  |  4   |   40   |   30   |  15 |  5  |

 

 
And I want to get something like:

 

| longitude | latitude | HIGH  | MEDIUM | LOW | 
|  143.2104 | -33.494  |  43   |   70   |  20 |

 

 
Could you please give a hint? Thank you very much in advance.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 01:07 AM

Hi @aristidiskantas,

you have to convert all values in upper or lower case, something like this:

index="main" category="Foo" OR sourcetype="foo" 
| iplocation ip_address 
| eval severity_level = upper(coalesce(severity, foo_severity))
| geostats count by severity_level

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 01:07 AM

Hi @aristidiskantas,

you have to convert all values in upper or lower case, something like this:

index="main" category="Foo" OR sourcetype="foo" 
| iplocation ip_address 
| eval severity_level = upper(coalesce(severity, foo_severity))
| geostats count by severity_level

Ciao.

Giuseppe

Reply
Solved! Jump to solution

aristidiskantas
Engager
‎06-15-2022 01:27 AM

That worked! Thank you so mush for the input Giuseppe. 

Wish you the best,

Aris

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 01:29 AM

Hi @aristidiskantas,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated ;-

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Seamless IT/OT Security: A Hands-On Look at the Cisco Cyber Vision Splunk Add-on

With just a few clicks, you can ingest critical OT asset details, vulnerabilities, baseline deviations, ...