Solved: field combination does not work properly

can_surer · ‎12-18-2014

Hi,
I have the following search on splunk indexer.
Although field "a" and "b" return results, field "steps" does not return stable results.(only one or zero result is returned).
thanks

pedromvieira · ‎12-18-2014

You can use mvexpand before your field concatenation.

mvexpand
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Mvexpand

sourcetype="F5:iRule:WebAccess"| head 100000 | sort -req_elapsed_time|head 3|stats count by url client_address req_elapsed_time server_name|stats sum(count) as count list(url) as a list(server_name) as b by server_name | mvexpand a | mvexpand b | eval steps=b."-".a | fields steps count

View solution in original post

pedromvieira · ‎12-18-2014

You can use mvexpand before your field concatenation.

mvexpand
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Mvexpand

sourcetype="F5:iRule:WebAccess"| head 100000 | sort -req_elapsed_time|head 3|stats count by url client_address req_elapsed_time server_name|stats sum(count) as count list(url) as a list(server_name) as b by server_name | mvexpand a | mvexpand b | eval steps=b."-".a | fields steps count

can_surer · ‎12-23-2014

Thanks for your recommendation.
It solved my issue.

Ayn · ‎12-18-2014

eval won't like doing string concatenations on multivalued fields. It does that on single-valued fields only.

field combination does not work properly

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk