Splunk Search

How to combine two fields into one to run a stats count search?

reachskhm
New Member

I have log events which are little different, but each event has a unique name which I am interested in. However, this unique name is not in one field.

Say I have names of transactions which I want get count of. Let's say transaction names are tran1, tran2, tran3, tran4. This info of the name is in one event in fieldA and in other event in fieldB. How do I combine these 2 fields to get a field so that I can perform stats on count and response time.
To be more specific, fieldA and fieldB will have tran1 or tran2 etc either in fieldA or in fieldB, I would like to search the count by tran1 and tran2 etc.

thanks in advance

0 Karma

sundareshr
Legend

Like this
.... | eval fldname=coalesce(fieldA, fieldB) | stats count by fldname

reachskhm
New Member

hey thanks for answer looks like its not working, let me more clear about the problem,
One event has info what i need say FiledA which i extracted using splunk from raw data , will have valuses like trans1 ,trans2.... And ALSO say one value like REST , AND filedB which i extracted will have again tans1.trans2....AND say NOTSET , so date will be like Flied A entries which has REST , as a value , will be having m trans1..etc in FliedB
siminalry NOTSET in filed value will have values of trans1 etc in FiledA
So here am only intrested in trasn1,trans2...

0 Karma

sundareshr
Legend

Not sure I understand. Can you put the sample is a table form. A few rows with field names and values?

reachskhm
New Member

Below is the example of the events in table

So when you a stats i need like trans1 as 4 , trans2 as 5 , trans3 as 1 , the count combined from filed a and field b ingoring ERR and Res from these fileds. and also i want o do some avg on resptimeinsecs accordingly.. thanks in advance.

Event Flied A FliedB Source resptimeinsecs
1 Trans1 Res CP 10
2 Trans2 Res CP 45
3 Err Trans3 CP 67
4 Trans1 Res CP 91
5 Err Trans2 CP 78
6 Trans2 Res CP 86
7 Trans1 Res CP 90
8 Trans2 Res CP 86
9 Err Trans1 CP 90
10 Trans2 Res CP 86

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...