Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a function that concatenates result lines of strings?

koljalauterbach
New Member
‎10-18-2017 02:12 AM

Hi everyone!

I would like to format a result into a string and I don't even know where to start and if there even is a function for that ...

My results are a simple list of number/characters:

AD1234
AB2342
GD4787
...

What I would like to have is a formatted string like this:

("AD1234","AB2342","GD4787","...")

Is there a function that concatenates result lines?

Thanks in advance!

0 Karma
Reply

cmerriman
Super Champion
‎10-18-2017 04:56 AM

Try something like this to add the double quotes and parentheses around the string..

...
|mvcombine delim="\",\"" field_name
|nomv data
|rex field=field_name mode=sed "s/(.*)/(\"\1\")/"

the function |format will format a series like (field=value1) OR (field=value2) OR .... but also works with more complex solutions, also, like when there is more than one field.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Format

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-18-2017 04:36 AM

Hi
you have to use mvcombine and nomv, something like this

index=_internal 
| head 100 
| dedup source  
| table source 
| mvcombine delim=", " source 
| nomv source

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top