Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Merge all values in two fields in a new one?

JohnnyMnemonic
Explorer
‎11-16-2022 05:16 AM

I have read all the posts about "merging fields" and none of the options work for me.

I have events where the same value can come in fields with different names. For example, one has the Action in a field called "act" and another the field is "actResult".

I tried to use:

|eval Action = coalesce("act","actResult")
|eval Action = mvappend("act","actResult")

But both optiones is generating a field with "act" and "actResult" as value, removing all actual values.

And also tried:

|rename act as Action actResult as Action

But it doesn't work 😞

Any ideas?

 

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2022 05:26 AM

Hi @JohnnyMnemonic,

let me understand:

you have a field called "act" containing IP addresses, then you have a field called "actResult" containing IP addresses,

you want a ne field called e-g- IP containing the value of act (if present) or the value of actResult (i not present the other).

In this case you can use coalesce.

If you use the Action field that has values you override those values with the result of the coalesce.

Concluding: what is your need?, could you share a sample of your field and values and the desidered output?

Ciao.

Giuseppe

0 Karma
Reply

JohnnyMnemonic
Explorer
‎11-16-2022 05:46 AM

Sorry I modified the question and didn't noticed that keep IPs as part of it.

Actually I have events where the field Action is "act" and other events where the same values are inside the field "actResult" but both fiels are never togheter in the same event, I mean, both fields are actually the same.

Then, I want to obtain a table with the Action in a column.

My real query:

index=my_index sourcetype=my_source
| eval Action = coalesce("act","actResult")
| stats values(createdTime) as EventTime, values(Action) by id
| table EventTime Action id

But the result is a column named "Action" where all rows have the value "act"

I know that the best option is to correct the parsing but I am not the administrator, I just can work with transformation commands.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2022 08:21 AM

Hi @JohnnyMnemonic,

if the Action field has always the value of act, this means that the coalesce is always verified with the act value and you haven't actResults values, please add values(act) AS act and values(actResults AS actResults to your stats command to analyze the values you have.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...