Solved: Re: Merge near-identical field values

benefitcos · ‎10-16-2013

I am new to Splunk but am loving what it can do with it! We use Splunk to track user activity on our webapp. It looks in the logs and extracts my users into the field 'USERNAME'. However, I have one user who uses multiple logins that are almost the same:

Sandra.chin ... (17)
Sandra Chin ... (10)
sandra.chin ... (8)
sandra chin ... (4)
Sandra chin ... (2)

This is the same person, only spelled with case & punctuation five different ways. How can I merge these field values into one entry (lets say, Sandra Chin) with any/all appropriate totals accounted for? (logins, downloads, etc...) When correct, Sandra's single entry should read like this:

Sandra Chin ... (41)

And sort within the overall users count list like this:

Bill Johnson ... (88)
Sandra Chin ... (41)
Mary Thomas ... (24)

Would anyone know how I might accomplish this? Thanks in advance!

benefitcos · ‎10-16-2013

I later on found this answer:
http://answers.splunk.com/answers/61646/combining-multivalues-together-inside-a-field

However, I'm having trouble combining 'Sandra' and 'sandra' because of the case difference.

View solution in original post

benefitcos · ‎10-16-2013

That did the trick! Thank you.

lukejadamec · ‎10-16-2013

Try setting all of the field values to lower case before you combine them:

| eval USERNAME=lower(USERNAME)

That should eliminate any case problems.

benefitcos · ‎10-16-2013

I later on found this answer:
http://answers.splunk.com/answers/61646/combining-multivalues-together-inside-a-field

However, I'm having trouble combining 'Sandra' and 'sandra' because of the case difference.

benefitcos · ‎10-16-2013

per lukejadamec, adding: ... | eval USERNAME=lower(USERNAME) worked nicely.

Merge near-identical field values

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout