Solved: Is there a way to combine field values from differ...

kdimaria · ‎08-30-2017

Basically I am trying to see if there is a way to do an eval to grab a field value from two different events. For example lets say I have:

Application=Chrome Note=this is an application
Application=Chrome Note=this is an application2

So I want to see if there is a way to make a new field where Application=Chrome that combines the two notes together into another field. so it'd add a field that is like Newnote=this is an application this is an applcation2.

niketn · ‎08-30-2017

Are you looking for the following?

| stats list(Note) as NewNote by Application

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

vasanthmss · ‎08-30-2017

When there is an similar Application comes all the notes will be added into Newnote field.

Try the below search,

... your base search | eventstats values(Note) as Newnote by Application | nomv Newnote

Hope this will helps you.

V

niketn · ‎08-30-2017

Are you looking for the following?

| stats list(Note) as NewNote by Application

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kdimaria · ‎08-30-2017

Thank you this worked 🙂

Is there a way to combine field values from different events?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms