Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to append only two adjacent columns in a table?

_jgpm_
Communicator
‎12-04-2016 07:11 AM

I've already tried foreach, untable, and trim/mvappend in various combinations to solve this problem.

I have 30 columns of information (edit: And I don't want to specify them as they are dynamic), 1 column of text labels. I want to append pairs of the table together.

ex. data:
week |A-txt1 | B-txt1 | A-txt2 | B-txt2 etc...
0005 | 0002 | 00001 | 00003 | 00006

I want have column event data that looks like:
week | AB-txt1 |
0005 | 002:001 |

Ignore the leading zeros; I was trying to make the columns match up.

Can some wizard apply their sorcery?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-04-2016 09:18 AM

Is this what you're looking for (this is a run-anywhere sample)

| makeresults | eval week="0005" | eval A-txt1="0002" | eval B-txt1="0001" | eval A-txt2="0003" | eval B-txt2="0006" | table week *txt* | untable week fields data | rex field=fields "(?<label>\w)-(?<text>\w+)" | table week label text data | mvcombine data delim=":" | stats values(label) as label values(data) as data by week text  | makemv label delim="_" | makemv data delim=":" | eval field=label."-".text | xyseries week field data

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎12-04-2016 10:30 AM

Following is with eval for 4 sample fields A-txt1, B-txt1, A-txt2, B-txt2:

<your base search> | eval AB-txt1='A-txt1' + ":" + 'B-txt1' | eval AB-txt2='A-txt2' + ":" + 'B-txt2' | table _time week AB-txt1 AB-txt2

Following is with foreach for above eval(you can have n number of fields below, However, final table comand needs to be adjusted:

<your base search> | foreach *-txt* matchseg2="#matchseg2#" [eval AB-txt#matchseg2#='A-txt#matchseg2#' + ":" + 'B-txt#matchseg2#'] | table week AB-txt1 AB-txt2
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-04-2016 10:23 AM

...| eval a=mvzip(a-txt1,b-txt1) | eval b=mvzip(a,c-txt1) | ...

So on an so forth...

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-04-2016 09:18 AM

Is this what you're looking for (this is a run-anywhere sample)

| makeresults | eval week="0005" | eval A-txt1="0002" | eval B-txt1="0001" | eval A-txt2="0003" | eval B-txt2="0006" | table week *txt* | untable week fields data | rex field=fields "(?<label>\w)-(?<text>\w+)" | table week label text data | mvcombine data delim=":" | stats values(label) as label values(data) as data by week text  | makemv label delim="_" | makemv data delim=":" | eval field=label."-".text | xyseries week field data
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-04-2016 07:24 AM 
| strcat A-txt1 ":" B-txt1 AB-text1

This will create the field you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...