I've had the most success combining two fields the following way
|eval CombinedName= Field1+ Field2+ Field3|
If you want to combine it by putting in some fixed text the following can be done
|eval CombinedName=Field1+ Field2+ Field3+ "fixedtext" +Field5|,Ive had the most success in combining two fields using the following
|eval ClearanceCode= NFC1 + NFC2 + NFC3|
You could just add this to the end of your existing search:
... | eval output = mvdedup(mvappend(field_1, field_2)) | fields - field_1 field_2
... | stats values(mvappend(field_1, field_2)) AS output
I'm having a similar query but not getting output... Actually, I have created fields and I want to merge two fields into a single field... So I'm doing eval report = Duration. "-" .action which is giving good result but I need to run the SPL query every time...
Can extract the new field directly by merging old two fields???
Simply rename the fields to the same name like this and it works!
yoursearchhere | rename field_1 as output | rename field_2 as output
(I found this after not wanting to deal with delimiters)
Yes, you can do this, but given the example in the original question:
Your solution would end up with 3 events, not 6. And your 3 events would have a multi-valued field named
output. Nothing wrong with that, but it might be hard to work with, depending on what you wanted to do next.
BTW, if you wanted, you could also create field aliases that would make your renames "permanent" so that you don't have to do the renames every time.
yoursearchhere | eval output = toString(field1) + ";" + toString(field2) | makemv delim=";" output | mvexpand output
This assumes that field1 and field2 are numeric. If they are not, you can use the following instead:
yoursearchhere | eval output = field1 + ";" + field2 | makemv delim=";" output | mvexpand output
Note that a semicolon (;) is used as a delimiter, so a semicolon cannot appear in either field1 or field2.