Splunk Search

Join multiple fields into few unique field

yuming1127
Path Finder

Hi,
I'm looking something similar to this, but please note that the description* wildcard can go up to 20+ fields, same goes to weight_*
I do tried foreach [|eval ] + coalesce(), not sure why some of my field values missing after the foreach loop.
just asking if there is another method other than foreach[]

my search...

productdescription1description2weight_aweight_bweight_c
product_astring_astring_bnumber_anumber_bnumber_c
product_bstring_cstring_dnumber_dnumber_enumber_f
product_cstring_estring_fnumber_gnumber_hnumber_i

 

desired output 

productdescriptionweight
product_adescription1=string_a
description2=string_b

weight_a=number_a

weight_b=number_b

weight_c=number_c

product_bdescription1=string_c
description2=string_d

weight_a=number_d

weight_b=number_e

weight_c=number_f

product_cdescription1=string_e
description2=string_f

weight_a=number_g

weight_b=number_g

weight_c=number_i

 

Thanks in advance.

Labels (3)
Tags (4)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@yuming1127 

Can you please try this?

With your provided sample data this will work.

YOUR_SEARCH
| fields  product	description1	description2	weight_a	weight_b	weight_c
| eval description=mvappend("description1=".description1,"description2=".description2)
| eval weight=mvappend("weight_a=".weight_a,"weight_b=".weight_b,"weight_c=".weight_c)
| table  product description weight

 

My Sample Search :

| makeresults | eval _raw="product	description1	description2	weight_a	weight_b	weight_c
product_a	string_a	string_b	number_a	number_b	number_c
product_b	string_c	string_d	number_d	number_e	number_f
product_c	string_e	string_f	number_g	number_h	number_i"| multikv  forceheader=1
| fields  product	description1	description2	weight_a	weight_b	weight_c
| eval description=mvappend("description1=".description1,"description2=".description2)
| eval weight=mvappend("weight_a=".weight_a,"weight_b=".weight_b,"weight_c=".weight_c)
| table  product description weight

 

in case of multiple description and weight fields try this.

YOUR_SEARCH
| fields  product	description1	description2	weight_a	weight_b	weight_c
| foreach description* [| eval description=mvappend(description,"<<FIELD>>="+'<<FIELD>>')]
| foreach weight_* [| eval weight=mvappend(weight,"<<FIELD>>="+'<<FIELD>>')]
| table  product description weight

 

My Sample Search :

| makeresults | eval _raw="product	description1	description2	weight_a	weight_b	weight_c
product_a	string_a	string_b	number_a	number_b	number_c
product_b	string_c	string_d	number_d	number_e	number_f
product_c	string_e	string_f	number_g	number_h	number_i"| multikv  forceheader=1
| fields  product	description1	description2	weight_a	weight_b	weight_c
| foreach description* [| eval description=mvappend(description,"<<FIELD>>="+'<<FIELD>>')]
| foreach weight_* [| eval weight=mvappend(weight,"<<FIELD>>="+'<<FIELD>>')]
| table  product description weight

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...