Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to concatenate Dynamic multivalue fields to single value fields?

wealot
Explorer
‎07-15-2022 07:38 AM

Hi all,

I have events coming in that have multivalue fields, but not always the same fields are multivalue. I want all the fields in the events resulting from a search to be concatenated to single value field.

Example:

Result now shows:

dest       xyz

                fff

Result should show:

dest   xyz [delimiter] fff

Just to be sure that everyone understand using dest here is an example it should be a query that I can run that would actually change every multivalue field regardless of field name.

Cheers,

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 07:56 AM 
| foreach *
    [| eval <<FIELD>>=mvjoin(<<FIELD>>,",")]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 07:56 AM 
| foreach *
    [| eval <<FIELD>>=mvjoin(<<FIELD>>,",")]
0 Karma
Reply
Solved! Jump to solution

wealot
Explorer
‎07-18-2022 12:05 AM

Mind blown! I did not know that foreach existed in Splunk, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top