Solved: Combine 2 fields to create a new field?

the_wolverine · ‎10-25-2010

I have a search that generates a list of IP addresses and usernames by time. I'd like to dedup the value of ip address + username. I cannot dedup just one (ip OR username) because the IP addresses get recycled and will get reassigned to another user.

Is it possible to combine my 2 fields (ip_address + username) to create a 3rd field that I can use for dedup purposes?

ftk · ‎10-25-2010

You could concatenate the fields together:

your search | eval new_field = field1."-".field2

"-" in this example is a separator -- you can use anything (or nothing) there. To just concat the fields do field1.field2

View solution in original post

ftk · ‎10-25-2010

You could concatenate the fields together:

your search | eval new_field = field1."-".field2

"-" in this example is a separator -- you can use anything (or nothing) there. To just concat the fields do field1.field2

ssrdc · ‎01-19-2017

Nice answer

labani · ‎07-02-2013

thanks a lot. this is really useful. i've got exactly what i wanted.

aleem · ‎03-30-2012

many thanks for this tip

Be the best version of you

Combine 2 fields to create a new field?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio