Solved: How to unite different fields into one field?

marxsabandana · ‎05-07-2019

I'm about to unite product codes from 2 different sourcetypes with different names, but with the same value.

Here's a sample table:
ProdID_1 (from sourcetype A)

0001596

ProdID_2 (from sourcetype B)
0001596

My desired output should be unified like this:
ProdID
0001596

koshyk · ‎05-08-2019

There are quite few methods depending on how much other fields you want to protect/align
1. Using Rename

index=* (sourcetpe=A Or sourcetype=B) | rename ProdID_1 as ProdID| rename ProdID_2 as ProdID

index=* (sourcetpe=A Or sourcetype=B) | eval ProdID=ProdID_1 | eval ProdID=ProdID_2

Using transaction (if you want to club events of same ProdID into single transaction)

index=* (sourcetpe=A Or sourcetype=B) | rename ProdID_1 as ProdID| rename ProdID_2 as ProdID | transaction ProdID

koshyk · ‎05-08-2019

There are quite few methods depending on how much other fields you want to protect/align
1. Using Rename

index=* (sourcetpe=A Or sourcetype=B) | rename ProdID_1 as ProdID| rename ProdID_2 as ProdID

index=* (sourcetpe=A Or sourcetype=B) | eval ProdID=ProdID_1 | eval ProdID=ProdID_2

Using transaction (if you want to club events of same ProdID into single transaction)

index=* (sourcetpe=A Or sourcetype=B) | rename ProdID_1 as ProdID| rename ProdID_2 as ProdID | transaction ProdID

How to unite different fields into one field?