I have log events which are little different, but each event has a unique name which I am interested in. However, this unique name is not in one field.
Say I have names of transactions which I want get count of. Let's say transaction names are tran1, tran2, tran3, tran4. This info of the name is in one event in fieldA and in other event in fieldB. How do I combine these 2 fields to get a field so that I can perform stats on count and response time.
To be more specific, fieldA and fieldB will have tran1 or tran2 etc either in fieldA or in fieldB, I would like to search the count by tran1 and tran2 etc.
thanks in advance
Like this
.... | eval fldname=coalesce(fieldA, fieldB) | stats count by fldname
hey thanks for answer looks like its not working, let me more clear about the problem,
One event has info what i need say FiledA which i extracted using splunk from raw data , will have valuses like trans1 ,trans2.... And ALSO say one value like REST , AND filedB which i extracted will have again tans1.trans2....AND say NOTSET , so date will be like Flied A entries which has REST , as a value , will be having m trans1..etc in FliedB
siminalry NOTSET in filed value will have values of trans1 etc in FiledA
So here am only intrested in trasn1,trans2...
Not sure I understand. Can you put the sample is a table form. A few rows with field names and values?
Below is the example of the events in table
So when you a stats i need like trans1 as 4 , trans2 as 5 , trans3 as 1 , the count combined from filed a and field b ingoring ERR and Res from these fileds. and also i want o do some avg on resptimeinsecs accordingly.. thanks in advance.
Event Flied A FliedB Source resptimeinsecs
1 Trans1 Res CP 10
2 Trans2 Res CP 45
3 Err Trans3 CP 67
4 Trans1 Res CP 91
5 Err Trans2 CP 78
6 Trans2 Res CP 86
7 Trans1 Res CP 90
8 Trans2 Res CP 86
9 Err Trans1 CP 90
10 Trans2 Res CP 86