Hello everyone,
I have created some fields but now I want to combine the fields, Ex: I have created fields like A B C now I want to create a new field which combine two fields.. EX D= A+B or D=A+B+C
Can any one help me on this?
Config as provided in the comments looks fine, but if those fields are not together in 1 event, there is no way this will work using calculated fields. You will need to write a search query that combines the related events somehow, to get that information together.
If you need help with that, I suggest you create a new question, with proper detailed explanation of what you are trying to achieve.
If by "combine" you mean concatenate then you use the concatenation operator within an eval
statement.
... | eval D = A . B . C
will create a field 'D' containing the values from fields A, B, C strung together (D=ABC). You can add text between the elements if you like:
... | eval D = A . "+" . B . "=" . C
Hii, it didn't work...
I want to create new field by combining existing field...
See my answer below, and stop just kicking your question without adding any new information. As explained: what you want is impossible with calculated fields. You cannot combine fields from 2 separate events like that.
Hello richgalloway,
Thanks for your reply, I have tried that like eval report=A . "-" .B
It is working and behaving report as a new field but we can't run the SPL query every time.. So I'm planing to create a new field which combines the two fields which I have created and working successfully.....
When I run the SPL Query, eval repor= duration. "-" .action it combines these two fields...
So they can see how much time was taken to complete the action... is there a way to add two fields and make them as third field???
Yes, just define a calculated field with that same eval expression in it.
In the GUI under Settings -> Fields -> Calculated Fields. Or directly in props.conf under the respective sourcetype: EVAL-report = A . "-" .B
Okay, but one question?
EVAL-report =A . "-" .B
So here, the A and B are name of the fields or regular expression of the A and B fields?
The names of those fields (assuming you already have extractions defined for those fields).
Yes, I have created fields already.. In settings>fields>calculatedfields> selected sourcetype after that it is asking eval expression..
I have given name
Eval Expresion = EVAL-report = timeendpos. "-" .timestartpos
then it gave this error: Encountered the following error while trying to save: In handler 'props-eval': Operator types incompatible
If you're creating the calculated field through the GUI, you just need the eval expression itself, not the EVAL-report =
bit. So just enter timeendpos. "-" .timestartpos
Hiiii, it didn't work.. Any suggestions?
Can you create a screenshot of the calculated field settings? Upload it to some imagehost and share the url here.
Hi FrankVI, thank you so much for your reply.. I should complete this by Monday morning..
here are the requested URL's
https://ibb.co/R6ZX1Rs
https://ibb.co/ZVV6dZk
Can you also open the calculated fields to see how you configured it?
Also: from what I can see from your search screenshot, the 2 events with an MTP value do not have a Duration value. So then of course the calculation fails.
Here Duration and MTP both are completely different eachother..
my query is to merge these two fields by creating new field...
here MTP means action and Duration means time..
if I merge these fields, the client will get know "ACtion completed by 55 sec" by clicking on single field....