Solved: merging 2 fields based on a common 3 field in the ...

reddevilz · ‎11-18-2019

I have an index with multiple fields that I have created using "Extract new fields". The following is the what my current table looks like. I want to merge hostname and version field into one row if the user is the same. I have tried appending, stats(values), joining but not getting the desired result.

index=A | table user, hostname, version
user hostname version
abc pqr EmptyField
abc EmptyField xyz .

Output should be as follow:
user hostname version
abc pqr xyz

renjith_nair · ‎11-18-2019

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎11-18-2019

@reddevilz ,
If the values are displayed as multi lines, then try

|stats delim="" values(hostname) as hostname,values(version) as version  by user
| nomv hostname|nomv version

OR

|stats values(hostname) as hostname,values(version) as version  by user
| mvcombine delim="" host|mvcombine delim="" version

---
What goes around comes around. If it helps, hit it with Karma 🙂

merging 2 fields based on a common 3 field in the same index

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

merging 2 fields based on a common 3 field in the same index

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...