Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Merge all values in two fields in a new one?

JohnnyMnemonic
Explorer
‎11-16-2022 05:16 AM

I have read all the posts about "merging fields" and none of the options work for me.

I have events where the same value can come in fields with different names. For example, one has the Action in a field called "act" and another the field is "actResult".

I tried to use:

|eval Action = coalesce("act","actResult")
|eval Action = mvappend("act","actResult")

But both optiones is generating a field with "act" and "actResult" as value, removing all actual values.

And also tried:

|rename act as Action actResult as Action

But it doesn't work 😞

Any ideas?

 

Labels (4)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2022 05:26 AM

Hi @JohnnyMnemonic,

let me understand:

you have a field called "act" containing IP addresses, then you have a field called "actResult" containing IP addresses,

you want a ne field called e-g- IP containing the value of act (if present) or the value of actResult (i not present the other).

In this case you can use coalesce.

If you use the Action field that has values you override those values with the result of the coalesce.

Concluding: what is your need?, could you share a sample of your field and values and the desidered output?

Ciao.

Giuseppe

0 Karma
Reply

JohnnyMnemonic
Explorer
‎11-16-2022 05:46 AM

Sorry I modified the question and didn't noticed that keep IPs as part of it.

Actually I have events where the field Action is "act" and other events where the same values are inside the field "actResult" but both fiels are never togheter in the same event, I mean, both fields are actually the same.

Then, I want to obtain a table with the Action in a column.

My real query:

index=my_index sourcetype=my_source
| eval Action = coalesce("act","actResult")
| stats values(createdTime) as EventTime, values(Action) by id
| table EventTime Action id

But the result is a column named "Action" where all rows have the value "act"

I know that the best option is to correct the parsing but I am not the administrator, I just can work with transformation commands.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2022 08:21 AM

Hi @JohnnyMnemonic,

if the Action field has always the value of act, this means that the coalesce is always verified with the act value and you haven't actResults values, please add values(act) AS act and values(actResults AS actResults to your stats command to analyze the values you have.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...