You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
So I'm trying to run a search in Splunk and have two fields combined to return one larger field. My basic search is:
(host="web01.inno-360.com" AND source="/var/log/apache2/basf_ssl_access.log" AND "/profile-services/talent") OR (host="zakta01.inno-360.com" AND basf-landscaping.inno-360.com AND "GET /search" AND query=*)
From that I'm interested in two fields: 1) 'query' 2) 'q'. I would like to combine these two fields to end with something like:
... | stats count by newField
From searching I have tried using eval like this:
... | eval newField= query." ".q | stats count by newField
However I've had absolutely no luck at all with this. Any help with this would be greatly appreciated.