Splunk Search

Merge 2 columns into one

premraj_vs
Path Finder

I have a query that returns a table like below

Component Hits ResponseTime Req-count
Comp-1 100 2.3
Comp-2 5.6 240

Both Hits and Req-count means the same but the header values in CSV files are different. I want the result to look like

Component Hits ResponseTime
Comp-1 100 2.3
Comp-2 240 5.6

I should make both the fields as same. I tried rename and it did not work.

It would be very helpful if someone can share their suggestions.

0 Karma
1 Solution

woodcock
Esteemed Legend

Just tack on one extra line, like this:

Your Existing Search Here
| eval Hits = coalesce(Hits, 'Req-count') | fields - "Req-Count"

View solution in original post

woodcock
Esteemed Legend

Just tack on one extra line, like this:

Your Existing Search Here
| eval Hits = coalesce(Hits, 'Req-count') | fields - "Req-Count"

DalJeanis
Legend

Please post the exact search code with the rename that did not work Remember to mark it as code so that the interface will not alter the code.

I suspect that the problem is a capitalization or spelling error, either in the rename line or in a prior line.

0 Karma

cmerriman
Super Champion

have you tried coalesce? |eval newField=coalesce(Hits,'Req-count')|fields - Hits "Req-Count"

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...