Is there a function that concatenates result lines...

koljalauterbach · ‎10-18-2017

Hi everyone!

I would like to format a result into a string and I don't even know where to start and if there even is a function for that ...

My results are a simple list of number/characters:

AD1234
AB2342
GD4787
...

What I would like to have is a formatted string like this:

("AD1234","AB2342","GD4787","...")

Is there a function that concatenates result lines?

Thanks in advance!

cmerriman · ‎10-18-2017

Try something like this to add the double quotes and parentheses around the string..

...
|mvcombine delim="\",\"" field_name
|nomv data
|rex field=field_name mode=sed "s/(.*)/(\"\1\")/"

the function |format will format a series like (field=value1) OR (field=value2) OR .... but also works with more complex solutions, also, like when there is more than one field.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Format

gcusello · ‎10-18-2017

Hi
you have to use mvcombine and nomv, something like this

index=_internal 
| head 100 
| dedup source  
| table source 
| mvcombine delim=", " source 
| nomv source

Bye.
Giuseppe

Is there a function that concatenates result lines of strings?