Splunk Search

How to concatenate two fields and display as one new field?

ulankford
Engager

I know this question has been asked numerous times but for some reason the solutions don't appear to work for me.
I want to display a field as Full_Name where the field is made up of two other fields that I have on hand, given & sn.
eval full_name = given." ".sn
eval full_name = given+" "sn

The above I have seen as solution but neither work for me.
eval full_name=given & eval full_name=sn both display their individual fields but when I try and combine them like above, nothing...

It may be with the way I am displaying the results which is by chart.
chart values(given), values(sn), latest(login_time), values(full_name) by user

Tags (3)
0 Karma

aweitzman
Motivator

So this "run anywhere" example works for me:

| gentimes start=-1 
| eval data="[u1,given1,surname1] [u2,given2,surname2] [u3,given3,surname3]" 
| makemv delim=" " data 
| mvexpand data 
| rex field=data "\[(?<user>.*),(?<given>.*),(?<sn>.*)\]" 
| eval full_name=given." ".sn 
| chart values(given) values(sn) values(full_name) by user

Everything prior to the eval full_name clause is just to generate the proper data. (You can run just that part to see what the result is.) Once I have that, the eval followed by the chart (similar to the way you have it) works just fine.

Hopefully seeing this work will help you identify what's not going right with your search.

ulankford
Engager

Thanks for that.
My full query is the following.

index=linux_syslog netgroup=sap* process="sshd" "session opened for user" | rex field=_raw "session opened for user (?<user>.*) by" | lookup groupLookup user OUTPUTNEW gid posixgroup given sn | convert timeformat="%d/%m/%y" ctime(_time) as login_time | search posixgroup="groupname" | chart values(posixgroup), values(given), values(sn), latest(login_time) by user | rename user AS "User" | rename values(posixgroup) AS "Groups" | rename values(given) AS "Given Name" | rename values(sn) AS Surname | rename latest(login_time) AS "Last Login" 

I think the reason this is not working is because the firstname (given) and the surname (sn) are being generated only by the lookup, not take from the actual log itself, therefore it fails.

Now unless there is some nifty way I can do this the only other way to get around this is to just export the data into the lookup

lookup groupLookup user OUTPUTNEW gid posixgroup given sn fullname
0 Karma

aweitzman
Motivator

Well, for one thing you can get rid of your rename clauses at the end by putting the as bits directly in your chart command:

chart values(posixgroup) as "Groups" values(given) as "Given Name" values(sn) as Surname latest(login_time) as "Last Login" by user

Beyond that, the lookup should not be causing you any problems, really. What happens if you put the eval full_name=given." ".sn clause directly after the lookup clause, and then include values(full_name) as a field in your chart command? I'm running a similar search locally (pulling fields out of lookups and using them in concatenations), and it's working fine.

0 Karma

eddit0r
Explorer

Can you display the output from using eval full_name = given." ".sn ?

That should work.

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Eval

0 Karma

dolivasoh
Contributor

I have lots of issues when using values(), if ever I'm trying to only display a single result and not too concerned that the actual value will change, I tend to use latest() instead. Your eval looks correct though.

0 Karma

ulankford
Engager

Thanks for the tip. Unfortunately, using latest() instead of values() does not produce anything either.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...