Splunk Search

How to combine two fields to one field

prashanthberam
Explorer

I WANT TO COMBINE THOSE TIMESTAMP INTO ONE COLUMN HOW CAN I DO THAT

BUT I DON'T WANT USE THE TRANSACTION COMMAND

HELP ME GUYS THE SAMPLE TABLE

ID TIMESTAMP1 TIMESTAMP2
1 --------- ------ 201
1 210 ------------------
2 --------------- 310
2 310 ---------------

I WANT TO COMBINE BOTH OF THEM BUT DON'T USE TRANSACTION COMMAND.

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | stats values(TIMESTAMP1) as TIMESTAMP1 values(TIMESTAMP2) as TIMESTAMP2 by ID

View solution in original post

somesoni2
Revered Legend

Give this a try

your base search | stats values(TIMESTAMP1) as TIMESTAMP1 values(TIMESTAMP2) as TIMESTAMP2 by ID

prashanthberam
Explorer

it's worked perfectly thank you so much somesh...

0 Karma

ChrisG
Splunk Employee
Splunk Employee

No need to shout!

martin_mueller
SplunkTrust
SplunkTrust

try this:

... | eval timestamp = coalesce(timestamp1, timestamp2)

martin_mueller
SplunkTrust
SplunkTrust

you didn't specify what result you wanted, and this combines the two fields into one field as you requested.

somesh's answer you accepted combines two rows into one row. be more specific in your question.

0 Karma

prashanthberam
Explorer

actually single id am getting 1 column empty and other column have the value
in the same way id no 1 has another row that is also the same

so i want to dis play like this

1 210 201
2 310 310
3 410 450

like this ....

0 Karma

prashanthberam
Explorer

NO AM NOT GETTING THE RESULT WAS SAME IN FACT AM LOSING THE ONE COLUMN

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...