Splunk Search

How to merge two fields into one field?

lpolo
Motivator

I have the following result set coming from a search:

field_1 field_2
 1       2
 3       4
 5       6

I need to merge these two fields into a new field "output":

output
 1
 2
 3
 4
 5
 6

Thanks,
Lp

Labels (1)
Tags (2)

DPOIRE
Path Finder

| eval output=coalesce(field_1,field_2)
| table output

if your field names contains special characters, coalesce may not work and you might have to rename them first
Example:
| rename field_1 as field1
| rename field_2 as field2
| eval output=coalesce(field1,field2)
| table output

dtenorio
Engager

This worked for me, thanks!

0 Karma

dcarty
New Member

I've had the most success combining two fields the following way
|eval CombinedName= Field1+ Field2+ Field3|

If you want to combine it by putting in some fixed text the following can be done
|eval CombinedName=Field1+ Field2+ Field3+ "fixedtext" +Field5|,Ive had the most success in combining two fields using the following

|eval ClearanceCode= NFC1 + NFC2 + NFC3|

0 Karma

lit_gustavo
Explorer

Tested and ok here:


| eval output = mvappend('field_1', 'field_2')
| mvexpand output
| table output

landen99
Motivator
 ... | eval output = mvappend(field_1, field_2) | stats count by output | table output

woodcock
Esteemed Legend

You could just add this to the end of your existing search:

... | eval output = mvdedup(mvappend(field_1, field_2)) | fields - field_1 field_2

Or even:

... | stats values(mvappend(field_1, field_2)) AS output

marisstella
Explorer

Hiii,
I'm having a similar query but not getting output... Actually, I have created fields and I want to merge two fields into a single field... So I'm doing eval report = Duration. "-" .action which is giving good result but I need to run the SPL query every time...
Can extract the new field directly by merging old two fields???

0 Karma

landen99
Motivator

Put it into a "Calculated field".

props.conf
[mysourcetype]
eval-report = Duration. "-" .action

woodcock
Esteemed Legend

Yes, what @landen99 said is the ticket for you.

0 Karma

e_sherlock
Explorer

Simply rename the fields to the same name like this and it works!

yoursearchhere | rename field_1 as output | rename field_2 as output

(I found this after not wanting to deal with delimiters)

vinodti
New Member

second rename result is always shown when we do this

0 Karma

landen99
Motivator

I downvoted this post because the solution does not work. it just leaves you with output containing the values of field_2

e_sherlock
Explorer

True. My specific use case worked as I was dealing with 6 different log events so the source looks like this:

field_1 field_2
1
2
3
5
4
6

0 Karma

lguinn2
Legend

Yes, you can do this, but given the example in the original question:

field_1 field_2
1 2
3 4
5 6

Your solution would end up with 3 events, not 6. And your 3 events would have a multi-valued field named output. Nothing wrong with that, but it might be hard to work with, depending on what you wanted to do next.

BTW, if you wanted, you could also create field aliases that would make your renames "permanent" so that you don't have to do the renames every time.

0 Karma

lguinn2
Legend

Better answer:

yoursearchhere |
eval output = toString(field1) + ";" + toString(field2) |
makemv delim=";" output |
mvexpand output

This assumes that field1 and field2 are numeric. If they are not, you can use the following instead:

yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output

Note that a semicolon (;) is used as a delimiter, so a semicolon cannot appear in either field1 or field2.

woodcock
Esteemed Legend

Note that the tostring() is not necessary if you use the proper concatenation character . instead of the ambiguous +.

0 Karma

landen99
Motivator

This solution assumes that you are starting with field1 and field2 not multivalue.

0 Karma

lguinn2
Legend

If field1 is multivalued, you can do this:

 eval output = mvappend(field1,field2)

To remove nulls:

eval output = mvfilter(output!=null())

ryhluc01
Communicator

@lguinn2 Make this a comment so that it can be accepted as an answer. I found this to be correct.

0 Karma

lpolo
Motivator

Nice learning experience. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...