Splunk Search

How to merge several fields from a log to one field?

ljxdennis
New Member

Hi guys,

i am pretty new to Splunk and i have the following Task.
I have four Systems with logs. I want to merge several fields from a log from one system to one field to generate a X-Trace-ID. I Need this X-Trace-ID to track the Transaction over the four Systems away.
Actually i could use the method of expanding the database of each Systems concerning one column and add an X-Trace-ID but we can't do that because of cost Problems.
Could you help me how can i generate in an alternative way a X-Trace-ID accross System boundaries?

Thank you very much and i am looking Forward for some answers.

Greetings

Dennis

Tags (1)
0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

Assuming I am understanding your request correctly, it sounds like you want to create a new field made up of a concatenation of other fields in the same event. If this is correct, try something like this:

<YOUR BASE SEARCH>
| eval X-Trace-ID=field1 . "-" . field2 . "-" field3 . "-" . field4

Not sure if you wanted the values separated or not, so I added the "-" between fields.

View solution in original post

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Assuming I am understanding your request correctly, it sounds like you want to create a new field made up of a concatenation of other fields in the same event. If this is correct, try something like this:

<YOUR BASE SEARCH>
| eval X-Trace-ID=field1 . "-" . field2 . "-" field3 . "-" . field4

Not sure if you wanted the values separated or not, so I added the "-" between fields.

0 Karma

ljxdennis
New Member

Thank you much! 🙂

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...