Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

merging 2 fields based on a common 3 field in the same index

reddevilz
Engager
โ€Ž11-18-2019 04:28 PM

I have an index with multiple fields that I have created using "Extract new fields". The following is the what my current table looks like. I want to merge hostname and version field into one row if the user is the same. I have tried appending, stats(values), joining but not getting the desired result.

index=A | table user, hostname, version
user hostname version
abc pqr EmptyField
abc EmptyField xyz .

Output should be as follow:
user hostname version
abc pqr xyz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
โ€Ž11-18-2019 07:09 PM

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
โ€Ž11-18-2019 07:09 PM

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

View solution in original post

Reply