Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine two fields into one field?

marisstella
Explorer
‎07-12-2019 05:26 AM

Hello everyone,
I have created some fields but now I want to combine the fields, Ex: I have created fields like A B C now I want to create a new field which combine two fields.. EX D= A+B or D=A+B+C
Can any one help me on this?

0 Karma
Reply

FrankVl
Ultra Champion
‎07-14-2019 03:07 AM

Config as provided in the comments looks fine, but if those fields are not together in 1 event, there is no way this will work using calculated fields. You will need to write a search query that combines the related events somehow, to get that information together.

If you need help with that, I suggest you create a new question, with proper detailed explanation of what you are trying to achieve.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2019 06:07 AM

If by "combine" you mean concatenate then you use the concatenation operator within an eval statement.

... | eval D = A . B . C

will create a field 'D' containing the values from fields A, B, C strung together (D=ABC). You can add text between the elements if you like:

... | eval D = A . "+" . B . "=" . C
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

marisstella
Explorer
‎07-14-2019 10:43 PM

Hii, it didn't work...
I want to create new field by combining existing field...

0 Karma
Reply

FrankVl
Ultra Champion
‎07-15-2019 12:10 AM

See my answer below, and stop just kicking your question without adding any new information. As explained: what you want is impossible with calculated fields. You cannot combine fields from 2 separate events like that.

0 Karma
Reply

marisstella
Explorer
‎07-12-2019 06:18 AM

Hello richgalloway,
Thanks for your reply, I have tried that like eval report=A . "-" .B
It is working and behaving report as a new field but we can't run the SPL query every time.. So I'm planing to create a new field which combines the two fields which I have created and working successfully.....
When I run the SPL Query, eval repor= duration. "-" .action it combines these two fields...
So they can see how much time was taken to complete the action... is there a way to add two fields and make them as third field???

0 Karma
Reply

FrankVl
Ultra Champion
‎07-12-2019 06:29 AM

Yes, just define a calculated field with that same eval expression in it.

In the GUI under Settings -> Fields -> Calculated Fields. Or directly in props.conf under the respective sourcetype: EVAL-report = A . "-" .B

0 Karma
Reply

marisstella
Explorer
‎07-12-2019 07:12 AM

Okay, but one question?
EVAL-report =A . "-" .B
So here, the A and B are name of the fields or regular expression of the A and B fields?

0 Karma
Reply

FrankVl
Ultra Champion
‎07-12-2019 07:14 AM

The names of those fields (assuming you already have extractions defined for those fields).

0 Karma
Reply

marisstella
Explorer
‎07-12-2019 07:28 AM

Yes, I have created fields already.. In settings>fields>calculatedfields> selected sourcetype after that it is asking eval expression..

0 Karma
Reply

marisstella
Explorer
‎07-12-2019 07:35 AM

I have given name
Eval Expresion = EVAL-report = timeendpos. "-" .timestartpos

then it gave this error: Encountered the following error while trying to save: In handler 'props-eval': Operator types incompatible

0 Karma
Reply

FrankVl
Ultra Champion
‎07-12-2019 07:39 AM

If you're creating the calculated field through the GUI, you just need the eval expression itself, not the EVAL-report = bit. So just enter timeendpos. "-" .timestartpos

0 Karma
Reply

marisstella
Explorer
‎07-12-2019 09:47 PM

Hiiii, it didn't work.. Any suggestions?

0 Karma
Reply

FrankVl
Ultra Champion
‎07-14-2019 01:38 AM

Can you create a screenshot of the calculated field settings? Upload it to some imagehost and share the url here.

0 Karma
Reply

marisstella
Explorer
‎07-14-2019 01:54 AM

Hi FrankVI, thank you so much for your reply.. I should complete this by Monday morning..
here are the requested URL's
https://ibb.co/R6ZX1Rs
https://ibb.co/ZVV6dZk

0 Karma
Reply

FrankVl
Ultra Champion
‎07-14-2019 01:59 AM

Can you also open the calculated fields to see how you configured it?

Also: from what I can see from your search screenshot, the 2 events with an MTP value do not have a Duration value. So then of course the calculation fails.

0 Karma
Reply

marisstella
Explorer
‎07-14-2019 02:24 AM

Here Duration and MTP both are completely different eachother..
my query is to merge these two fields by creating new field...
here MTP means action and Duration means time..
if I merge these fields, the client will get know "ACtion completed by 55 sec" by clicking on single field....

https://ibb.co/hBG9NMt

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...