Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Manipulating fields within a transaction

bcarr12
Path Finder
‎11-18-2014 07:03 AM

What would be the best way to go about manipulating fields within a transaction? For example, let's say I have the following transaction as part of my search to create a transaction:

"search text" source="mylog.log" | transaction maxpause=1s FieldA, FieldB, FieldC, FieldD

Within each transaction, there are additional fields that I use for creating alerts and reports. All of the logs have a descriptive field in them called FieldE. The problem is, sometimes FieldE is very specific and sometimes FieldE does not give me the information I need and requires an additional field, FieldF to get more information (I use a lookup table in both cases). In a normal case, I would put FieldE into a lookup table and output the DescriptionFieldE and be done.

In the cases where FieldE is not descriptive enough, I can use FieldF. FieldF is not present in every log in a transaction. At a high level, what I am trying to do is within each transaction:

If there is a value for FieldF, input it into a lookup table and output as DescriptionFieldF. Create a new field that has both the results of DescriptionFieldE and DescriptionFieldF. What is the best way to create a new field that is the combination of the results of several other fields? Basically something like:

NewField=DescriptionFieldE+DescriptionFieldF (the "results" of both these fields are words so I am not trying to actually add anything together, just combine the results into a single field)

0 Karma
Reply

lguinn2
Legend
‎11-18-2014 07:42 AM

You could do this using the concatenation operator:

| lookup fieldElookup FieldE output DescriptionFieldE
| lookup fieldFlookup FieldF output DescriptionFieldF
| eval newField=DescriptionFieldE . DescriptionFieldF
0 Karma
Reply

bcarr12
Path Finder
‎11-18-2014 08:13 AM

I gave this a shot and it doesn't seem to be working. I have a value for DescriptionFieldE and DescriptionFieldF, but if I do:

eval newfiled=DescriptionFieldE . DescriptionFieldF

It doesn't return any values? One thing I am unsure of, will this concatenation create one field with one result that has both descriptions in it? Or one field with two results?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...