Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combining Two Fields For Searching

henryt1
Path Finder
‎05-18-2012 12:24 PM

So I'm trying to run a search in Splunk and have two fields combined to return one larger field. My basic search is:

(host="web01.inno-360.com" AND source="/var/log/apache2/basf_ssl_access.log" AND "/profile-services/talent") OR (host="zakta01.inno-360.com" AND basf-landscaping.inno-360.com AND "GET /search" AND query=*)

From that I'm interested in two fields: 1) 'query' 2) 'q'. I would like to combine these two fields to end with something like:

... | stats count by newField

From searching I have tried using eval like this:

... | eval newField= query." ".q | stats count by newField

However I've had absolutely no luck at all with this. Any help with this would be greatly appreciated.

Tags (3)
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-18-2012 01:34 PM

Your eval statement is fine. You need to fix the stats count. This should do it.

. | eval newField= query." ".q | stats count(newField)

Then you could do | stats count(newField) by newField

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...