Splunk Search

How to combine multiple fields?

zkenaga
New Member

I have multiple fields with the name name_zz_(more after this)

How would I be able to merge all of the like tests into one field?

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You want to merge values (concatenate values) OR each event will have single field but different name but you want to create a common name field?

0 Karma

zkenaga
New Member

I am looking to join all the names together and have them report as one name.

0 Karma

zkenaga
New Member

right now I have

name_zz_1
name_zz_2
name_zz_3

I would like to have those combined to just report as name_zz

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So basically, right now you've to do like this to see all values?

...some search | table ..some fields.. name_zz_1 name_zz_2 name_zz_3

and you want to do like

...some search | table ..some fields.. name_zz

Where name_zz will contain values of all 3 (or any number of fields) name_zz_N fields?

It's generally easier for us if you can post some sample values and corresponding expected output.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If its the first case (multiple fields to be combined into one), try this

...some search.. | eval name_zz="" | foreach name_zz_* [| eval name_zz=coalesce('<<FIELD>>'.",","").name_zz] | fields - name_zz_*
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...