Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to merge two fields into one field?

lpolo
Motivator
‎05-31-2012 09:50 AM

I have the following result set coming from a search:

field_1 field_2
 1       2
 3       4
 5       6

I need to merge these two fields into a new field "output":

output
 1
 2
 3
 4
 5
 6

Thanks,
Lp

Labels (1)
Labels
Tags (2)
Reply

DPOIRE
Path Finder
‎01-12-2023 01:03 PM 
| eval output=coalesce(field_1,field_2)
| table output



if your field names contains special characters, coalesce may not work and you might have to rename them first
Example:

| rename field_1 as field1
| rename field_2 as field2
| eval output=coalesce(field1,field2)
| table output
Reply

mlhadmin
Explorer
‎10-23-2024 09:27 AM

coalesce is not the right approach if both fields have a value in the same event as it will only use the value of the first field containing a non-null value...

0 Karma
Reply

dtenorio
Engager
‎03-14-2023 09:37 AM

This worked for me, thanks!

0 Karma
Reply

dcarty
New Member
‎07-29-2019 10:59 PM

I've had the most success combining two fields the following way
|eval CombinedName= Field1+ Field2+ Field3|

If you want to combine it by putting in some fixed text the following can be done
|eval CombinedName=Field1+ Field2+ Field3+ "fixedtext" +Field5|,Ive had the most success in combining two fields using the following

|eval ClearanceCode= NFC1 + NFC2 + NFC3|

0 Karma
Reply

lit_gustavo
Explorer
‎06-26-2020 02:48 PM

Tested and ok here:

 

| eval output = mvappend('field_1', 'field_2')
| mvexpand output
| table output
Reply

landen99
Motivator
‎07-13-2019 03:59 PM 
 ... | eval output = mvappend(field_1, field_2) | stats count by output | table output
Reply

woodcock
Esteemed Legend
‎05-10-2019 11:39 AM

You could just add this to the end of your existing search:

... | eval output = mvdedup(mvappend(field_1, field_2)) | fields - field_1 field_2

Or even:

... | stats values(mvappend(field_1, field_2)) AS output
Reply

mlhadmin
Explorer
‎10-23-2024 09:23 AM

FWIW, this syntax is not working for me:

... | stats values(mvappend(field_1, field_2)) AS output
0 Karma
Reply

mlhadmin
Explorer
‎10-23-2024 09:31 AM

You can split it into 2 commands to make it work:

...
| eval output=mvappend(field_1, field_2)
| stats values(output) as output
0 Karma
Reply

marisstella
Explorer
‎07-12-2019 10:22 PM

Hiii,
I'm having a similar query but not getting output... Actually, I have created fields and I want to merge two fields into a single field... So I'm doing eval report = Duration. "-" .action which is giving good result but I need to run the SPL query every time...
Can extract the new field directly by merging old two fields???

0 Karma
Reply

landen99
Motivator
‎07-13-2019 03:21 PM

Put it into a "Calculated field".

props.conf
[mysourcetype]
eval-report = Duration. "-" .action
Reply

woodcock
Esteemed Legend
‎07-13-2019 03:27 PM

Yes, what @landen99 said is the ticket for you.

0 Karma
Reply

e_sherlock
Explorer
‎10-08-2012 01:38 PM

Simply rename the fields to the same name like this and it works! 

yoursearchhere | rename field_1 as output | rename field_2 as output

(I found this after not wanting to deal with delimiters)

Reply

vinodti
New Member
‎01-31-2018 08:37 PM

second rename result is always shown when we do this

0 Karma
Reply

landen99
Motivator
‎07-12-2017 11:35 AM

I downvoted this post because the solution does not work. it just leaves you with output containing the values of field_2

Reply

e_sherlock
Explorer
‎10-09-2012 12:54 PM

True. My specific use case worked as I was dealing with 6 different log events so the source looks like this:

field_1 field_2
1
2
3
5
4
6

0 Karma
Reply

lguinn2
Legend
‎10-08-2012 09:22 PM

Yes, you can do this, but given the example in the original question:

field_1 field_2
1 2
3 4
5 6

Your solution would end up with 3 events, not 6. And your 3 events would have a multi-valued field named output. Nothing wrong with that, but it might be hard to work with, depending on what you wanted to do next.

BTW, if you wanted, you could also create field aliases that would make your renames "permanent" so that you don't have to do the renames every time.

0 Karma
Reply

lguinn2
Legend
‎06-01-2012 06:41 AM

Better answer:

yoursearchhere |
eval output = toString(field1) + ";" + toString(field2) |
makemv delim=";" output |
mvexpand output

This assumes that field1 and field2 are numeric. If they are not, you can use the following instead:

yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output

Note that a semicolon (;) is used as a delimiter, so a semicolon cannot appear in either field1 or field2.

Reply

woodcock
Esteemed Legend
‎07-30-2019 11:12 AM

Note that the tostring() is not necessary if you use the proper concatenation character . instead of the ambiguous +.

0 Karma
Reply

landen99
Motivator
‎02-16-2017 01:30 PM

This solution assumes that you are starting with field1 and field2 not multivalue.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top