Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine similar values into one table column

aristidiskantas
Engager
‎06-15-2022 01:04 AM

Hello everyone, 

I am having two events with different sourcetypes that have similar fields with similar values however not the same.

I have found a way to combine the fields by using coalesce, however I would like to combine the values as well in order to get a clear result

I am running this search :

 

index="main" category="Foo" OR sourcetype="foo" 
| iplocation ip_address 
| eval severity_level = coalesce(severity, foo_severity)
| geostats count by severity_level

 


and I am having the following results. 

 

| longitude | latitude | HIGH | High | MEDIUM | Medium | LOW | Low |
|  143.2104 | -33.494  |  39  |  4   |   40   |   30   |  15 |  5  |

 

 
And I want to get something like:

 

| longitude | latitude | HIGH  | MEDIUM | LOW | 
|  143.2104 | -33.494  |  43   |   70   |  20 |

 

 
Could you please give a hint? Thank you very much in advance.

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 01:07 AM

Hi @aristidiskantas,

you have to convert all values in upper or lower case, something like this:

index="main" category="Foo" OR sourcetype="foo" 
| iplocation ip_address 
| eval severity_level = upper(coalesce(severity, foo_severity))
| geostats count by severity_level

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 01:07 AM

Hi @aristidiskantas,

you have to convert all values in upper or lower case, something like this:

index="main" category="Foo" OR sourcetype="foo" 
| iplocation ip_address 
| eval severity_level = upper(coalesce(severity, foo_severity))
| geostats count by severity_level

Ciao.

Giuseppe

Reply
Solved! Jump to solution

aristidiskantas
Engager
‎06-15-2022 01:27 AM

That worked! Thank you so mush for the input Giuseppe. 

Wish you the best,

Aris

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 01:29 AM

Hi @aristidiskantas,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated ;-

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...