Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Merge all values in two fields in a new one?

JohnnyMnemonic
Explorer
‎11-16-2022 05:16 AM

I have read all the posts about "merging fields" and none of the options work for me.

I have events where the same value can come in fields with different names. For example, one has the Action in a field called "act" and another the field is "actResult".

I tried to use:

|eval Action = coalesce("act","actResult")
|eval Action = mvappend("act","actResult")

But both optiones is generating a field with "act" and "actResult" as value, removing all actual values.

And also tried:

|rename act as Action actResult as Action

But it doesn't work 😞

Any ideas?

 

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2022 05:26 AM

Hi @JohnnyMnemonic,

let me understand:

you have a field called "act" containing IP addresses, then you have a field called "actResult" containing IP addresses,

you want a ne field called e-g- IP containing the value of act (if present) or the value of actResult (i not present the other).

In this case you can use coalesce.

If you use the Action field that has values you override those values with the result of the coalesce.

Concluding: what is your need?, could you share a sample of your field and values and the desidered output?

Ciao.

Giuseppe

0 Karma
Reply

JohnnyMnemonic
Explorer
‎11-16-2022 05:46 AM

Sorry I modified the question and didn't noticed that keep IPs as part of it.

Actually I have events where the field Action is "act" and other events where the same values are inside the field "actResult" but both fiels are never togheter in the same event, I mean, both fields are actually the same.

Then, I want to obtain a table with the Action in a column.

My real query:

index=my_index sourcetype=my_source
| eval Action = coalesce("act","actResult")
| stats values(createdTime) as EventTime, values(Action) by id
| table EventTime Action id

But the result is a column named "Action" where all rows have the value "act"

I know that the best option is to correct the parsing but I am not the administrator, I just can work with transformation commands.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2022 08:21 AM

Hi @JohnnyMnemonic,

if the Action field has always the value of act, this means that the coalesce is always verified with the act value and you haven't actResults values, please add values(act) AS act and values(actResults AS actResults to your stats command to analyze the values you have.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...