Re: How can one combine two fields with the same v...

amcb90 · ‎06-07-2019

I have two fields with the same values but different field names.

index= network
sourcetype= firewall
The source IP field is "src"
sourcetype= logins
The source IP field is "src_ip"

I would like to be able to combine the results of both in a stats table to have a line item contain info from both sourcetypes:
example:

index=network sourcetype=firewall OR sourcetype=logins |(Whatever I need to do to combine two fields into one) | stats values(username) as Usernames, values(alert) as Alerts by (NEW_Source_IP_Field_Name)

kmorris_splunk · ‎06-07-2019

You could use coalesce in your search:

[YOUR BASE SEARCH]
| eval newfield=coalesce(field1,field2)

This will merge the values of both fields into one field.

Vijeta · ‎06-07-2019

@ambc90 Try this -

index=network sourcetype=firewall OR sourcetype=logins |rename src_ip as src| stats values(username) as Usernames, values(alert) as Alerts by src

OR you can use

index=network sourcetype=firewall OR sourcetype=logins |eval src=coalesce(src,src_ip)| stats values(username) as Usernames, values(alert) as Alerts by src

Sukisen1981 · ‎06-07-2019

checked field aliases out?

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Addaliasestofields

How can one combine two fields with the same values- but different field names- to aggregate data from multiple sourcetypes?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?