Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Manipulating fields within a transaction

bcarr12
Path Finder
‎11-18-2014 07:03 AM

What would be the best way to go about manipulating fields within a transaction? For example, let's say I have the following transaction as part of my search to create a transaction:

"search text" source="mylog.log" | transaction maxpause=1s FieldA, FieldB, FieldC, FieldD

Within each transaction, there are additional fields that I use for creating alerts and reports. All of the logs have a descriptive field in them called FieldE. The problem is, sometimes FieldE is very specific and sometimes FieldE does not give me the information I need and requires an additional field, FieldF to get more information (I use a lookup table in both cases). In a normal case, I would put FieldE into a lookup table and output the DescriptionFieldE and be done.

In the cases where FieldE is not descriptive enough, I can use FieldF. FieldF is not present in every log in a transaction. At a high level, what I am trying to do is within each transaction:

If there is a value for FieldF, input it into a lookup table and output as DescriptionFieldF. Create a new field that has both the results of DescriptionFieldE and DescriptionFieldF. What is the best way to create a new field that is the combination of the results of several other fields? Basically something like:

NewField=DescriptionFieldE+DescriptionFieldF (the "results" of both these fields are words so I am not trying to actually add anything together, just combine the results into a single field)

0 Karma
Reply

lguinn2
Legend
‎11-18-2014 07:42 AM

You could do this using the concatenation operator:

| lookup fieldElookup FieldE output DescriptionFieldE
| lookup fieldFlookup FieldF output DescriptionFieldF
| eval newField=DescriptionFieldE . DescriptionFieldF
0 Karma
Reply

bcarr12
Path Finder
‎11-18-2014 08:13 AM

I gave this a shot and it doesn't seem to be working. I have a value for DescriptionFieldE and DescriptionFieldF, but if I do:

eval newfiled=DescriptionFieldE . DescriptionFieldF

It doesn't return any values? One thing I am unsure of, will this concatenation create one field with one result that has both descriptions in it? Or one field with two results?

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...