Solved: merging 2 fields based on a common 3 field in the ...

reddevilz · ‎11-18-2019

I have an index with multiple fields that I have created using "Extract new fields". The following is the what my current table looks like. I want to merge hostname and version field into one row if the user is the same. I have tried appending, stats(values), joining but not getting the desired result.

index=A | table user, hostname, version
user hostname version
abc pqr EmptyField
abc EmptyField xyz .

Output should be as follow:
user hostname version
abc pqr xyz

renjith_nair · ‎11-18-2019

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎11-18-2019

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

---
What goes around comes around. If it helps, hit it with Karma 🙂

merging 2 fields based on a common 3 field in the same index

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

merging 2 fields based on a common 3 field in the same index

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine