Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multi Field values into Single field value
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamaleshwar
Explorer
11-19-2019
07:45 AM
I need help in getting multiple field values into single field to compare it and get the match if any.
For example, I have Field 1, Field 2, and so on till Field 10 and similarly each field is having unique value. I need to check if any of the value is matching with other events and get that value.
Please help on this and let me know if more info needed.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anantha123
Communicator
11-19-2019
10:52 AM
Hi,
To combine all fields in to 1 , you can try below query
| eval output=(mvappend(field1, field2, field3, field4, field5, field6, field7, field8, field9, field10)) | mvexpand output | dedup output | table output
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anantha123
Communicator
11-19-2019
10:52 AM
Hi,
To combine all fields in to 1 , you can try below query
| eval output=(mvappend(field1, field2, field3, field4, field5, field6, field7, field8, field9, field10)) | mvexpand output | dedup output | table output
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamaleshwar
Explorer
11-22-2019
01:16 AM
This worked, thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamaleshwar
Explorer
11-20-2019
12:38 AM
The output should not be the concatenated value of all field values, It should unique value only. Because I need to compare each value with other events values to get the matched one using the same value in different activities and get them out from that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
11-19-2019
10:02 AM
Can you show some example events and the expected output?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamaleshwar
Explorer
11-20-2019
12:36 AM
My log would have multiple user ids: userid1: "value"; userid2: "value" and so on. Here I need to get the userid value and compare it with other events to identify the same user id has been used in different activities/ multiple times.
The output would be like:
User ID Activity Count(Activity)
Let me know if this is helpful.
Get Updates on the Splunk Community!
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
The Latest Cisco Integrations With Splunk Platform!
Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
