Splunk Search

Manipulating fields within a transaction

bcarr12
Path Finder

What would be the best way to go about manipulating fields within a transaction? For example, let's say I have the following transaction as part of my search to create a transaction:

"search text" source="mylog.log" | transaction maxpause=1s FieldA, FieldB, FieldC, FieldD

Within each transaction, there are additional fields that I use for creating alerts and reports. All of the logs have a descriptive field in them called FieldE. The problem is, sometimes FieldE is very specific and sometimes FieldE does not give me the information I need and requires an additional field, FieldF to get more information (I use a lookup table in both cases). In a normal case, I would put FieldE into a lookup table and output the DescriptionFieldE and be done.

In the cases where FieldE is not descriptive enough, I can use FieldF. FieldF is not present in every log in a transaction. At a high level, what I am trying to do is within each transaction:

If there is a value for FieldF, input it into a lookup table and output as DescriptionFieldF. Create a new field that has both the results of DescriptionFieldE and DescriptionFieldF. What is the best way to create a new field that is the combination of the results of several other fields? Basically something like:

NewField=DescriptionFieldE+DescriptionFieldF (the "results" of both these fields are words so I am not trying to actually add anything together, just combine the results into a single field)

0 Karma

lguinn2
Legend

You could do this using the concatenation operator:

| lookup fieldElookup FieldE output DescriptionFieldE
| lookup fieldFlookup FieldF output DescriptionFieldF
| eval newField=DescriptionFieldE . DescriptionFieldF
0 Karma

bcarr12
Path Finder

I gave this a shot and it doesn't seem to be working. I have a value for DescriptionFieldE and DescriptionFieldF, but if I do:

eval newfiled=DescriptionFieldE . DescriptionFieldF

It doesn't return any values? One thing I am unsure of, will this concatenation create one field with one result that has both descriptions in it? Or one field with two results?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...