Solved: merging 2 fields based on a common 3 field in the ...

reddevilz · ‎11-18-2019

I have an index with multiple fields that I have created using "Extract new fields". The following is the what my current table looks like. I want to merge hostname and version field into one row if the user is the same. I have tried appending, stats(values), joining but not getting the desired result.

index=A | table user, hostname, version
user hostname version
abc pqr EmptyField
abc EmptyField xyz .

Output should be as follow:
user hostname version
abc pqr xyz

renjith_nair · ‎11-18-2019

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎11-18-2019

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

---
What goes around comes around. If it helps, hit it with Karma 🙂

merging 2 fields based on a common 3 field in the same index

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

merging 2 fields based on a common 3 field in the same index

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem