Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to combine 3+ fields?

jldebell
Path Finder
‎03-02-2015 12:56 PM

I have three fields name_1, name_2, and name_3 that I would like to combine into one field. There is no guarantee that all three fields will contain information. I was able to locate this eval string.

|eval combined_name=if (isnotnull(name_3),name_1.name_2.name_3,name_1.name_2)

Basically if name_3 is null, name_1 and name_2 combine. This is working great until name_1 or name_2 are null. I tried a number of attempts but I am not coming up with the solution.

Examples:

|eval combined_user=if (isnotnull(name_3),name_1.name_2.name_3,name_1.name_2, name_1)

|eval combined_user=if (isnotnull(name_3)OR(name_2),name_1.name_2.name_3,name_1.name_2, name_1, name_2.name_3)

I also tried the following, but then realized, it will only display the first non-null field.

|eval combined_user=coalesce(name_1.name_2.name_3)

Has anyone had success with the 3+ fields?

Thanks, Jennifer

Reply
1 Solution
Solved! Jump to solution
Solution

mparks11
Path Finder
‎03-02-2015 02:20 PM

| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.name_2.name_3

This will fill a null value for any of name_1, name_2 or name_3, but since you don't want to actually fill the null value with an actual value, just use double quotes. Then your eval should work as expected and combine all three values into one new field for combined_user.

View solution in original post

Reply
Solved! Jump to solution
Solution

mparks11
Path Finder
‎03-02-2015 02:20 PM

| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.name_2.name_3

This will fill a null value for any of name_1, name_2 or name_3, but since you don't want to actually fill the null value with an actual value, just use double quotes. Then your eval should work as expected and combine all three values into one new field for combined_user.

Reply
Solved! Jump to solution

mparks11
Path Finder
‎03-02-2015 02:23 PM

Found another answer as a reference as well! http://answers.splunk.com/answers/61916/concatenating-more-than-one-field.html

Reply
Solved! Jump to solution

proletariat99
Communicator
‎03-02-2015 03:16 PM

Does the "." between the names just put the 3 names on the same line separated by a dot, so that the combined_user is a string like this?

name_1 = "steve"
name_2 = "dave"
name_3 = "buster"

combined_name = "steve.dave.buster"

0 Karma
Reply
Solved! Jump to solution

mparks11
Path Finder
‎03-02-2015 03:35 PM

No, the dot just concatenates the values of each three fields, so it'd be "stevedavebuster". If you wanted "steve.dave.buster" it'd be something like:

| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.".".name_2.".".name_3

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top