Splunk Search

Merge two fields into one field

Motivator

I have the following result set coming from a search:

field_1 field_2
 1       2
 3       4
 5       6

I need to merge these two fields into a new field "output":

output
 1
 2
 3
 4
 5
 6

Thanks,
Lp

Tags (2)

New Member

I've had the most success combining two fields the following way
|eval CombinedName= Field1+ Field2+ Field3|

If you want to combine it by putting in some fixed text the following can be done
|eval CombinedName=Field1+ Field2+ Field3+ "fixedtext" +Field5|,Ive had the most success in combining two fields using the following

|eval ClearanceCode= NFC1 + NFC2 + NFC3|

0 Karma

Engager

Tested and ok here:


| eval output = mvappend('field_1', 'field_2')
| mvexpand output
| table output

0 Karma

Motivator
 ... | eval output = mvappend(field_1, field_2) | stats count by output | table output

Esteemed Legend

You could just add this to the end of your existing search:

... | eval output = mvdedup(mvappend(field_1, field_2)) | fields - field_1 field_2

Or even:

... | stats values(mvappend(field_1, field_2)) AS output
0 Karma

Explorer

Hiii,
I'm having a similar query but not getting output... Actually, I have created fields and I want to merge two fields into a single field... So I'm doing eval report = Duration. "-" .action which is giving good result but I need to run the SPL query every time...
Can extract the new field directly by merging old two fields???

0 Karma

Motivator

Put it into a "Calculated field".

props.conf
[mysourcetype]
eval-report = Duration. "-" .action

Esteemed Legend

Yes, what @landen99 said is the ticket for you.

0 Karma

Explorer

Simply rename the fields to the same name like this and it works!

yoursearchhere | rename field_1 as output | rename field_2 as output

(I found this after not wanting to deal with delimiters)

New Member

second rename result is always shown when we do this

0 Karma

Motivator

I downvoted this post because the solution does not work. it just leaves you with output containing the values of field_2

Explorer

True. My specific use case worked as I was dealing with 6 different log events so the source looks like this:

field1 field2
1
2
3
5
4
6

0 Karma

Legend

Yes, you can do this, but given the example in the original question:

field_1 field_2
1 2
3 4
5 6

Your solution would end up with 3 events, not 6. And your 3 events would have a multi-valued field named output. Nothing wrong with that, but it might be hard to work with, depending on what you wanted to do next.

BTW, if you wanted, you could also create field aliases that would make your renames "permanent" so that you don't have to do the renames every time.

0 Karma

Legend

Better answer:

yoursearchhere |
eval output = toString(field1) + ";" + toString(field2) |
makemv delim=";" output |
mvexpand output

This assumes that field1 and field2 are numeric. If they are not, you can use the following instead:

yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output

Note that a semicolon (;) is used as a delimiter, so a semicolon cannot appear in either field1 or field2.

Esteemed Legend

Note that the tostring() is not necessary if you use the proper concatenation character . instead of the ambiguous +.

0 Karma

Motivator

This solution assumes that you are starting with field1 and field2 not multivalue.

0 Karma

Legend

If field1 is multivalued, you can do this:

 eval output = mvappend(field1,field2)

To remove nulls:

eval output = mvfilter(output!=null())

Communicator

@lguinn2 Make this a comment so that it can be accepted as an answer. I found this to be correct.

0 Karma

Motivator

Nice learning experience. Thanks.

0 Karma

Explorer

Sorry for the late show, but this returns null in the second field

0 Karma

Engager

I am getting the null response as well.

0 Karma