| eval output=coalesce(field_1,field_2)
| table output
if your field names contains special characters, coalesce may not work and you might have to rename them first
Example:
| rename field_1 as field1
| rename field_2 as field2
| eval output=coalesce(field1,field2)
| table output
This worked for me, thanks!
I've had the most success combining two fields the following way
|eval CombinedName= Field1+ Field2+ Field3|
If you want to combine it by putting in some fixed text the following can be done
|eval CombinedName=Field1+ Field2+ Field3+ "fixedtext" +Field5|,Ive had the most success in combining two fields using the following
|eval ClearanceCode= NFC1 + NFC2 + NFC3|
Tested and ok here:
| eval output = mvappend('field_1', 'field_2')
| mvexpand output
| table output
... | eval output = mvappend(field_1, field_2) | stats count by output | table output
You could just add this to the end of your existing search:
... | eval output = mvdedup(mvappend(field_1, field_2)) | fields - field_1 field_2
Or even:
... | stats values(mvappend(field_1, field_2)) AS output
Hiii,
I'm having a similar query but not getting output... Actually, I have created fields and I want to merge two fields into a single field... So I'm doing eval report = Duration. "-" .action which is giving good result but I need to run the SPL query every time...
Can extract the new field directly by merging old two fields???
Put it into a "Calculated field".
props.conf
[mysourcetype]
eval-report = Duration. "-" .action
Yes, what @landen99 said is the ticket for you.
Simply rename the fields to the same name like this and it works!
yoursearchhere | rename field_1 as output | rename field_2 as output
(I found this after not wanting to deal with delimiters)
second rename result is always shown when we do this
I downvoted this post because the solution does not work. it just leaves you with output containing the values of field_2
True. My specific use case worked as I was dealing with 6 different log events so the source looks like this:
field_1 field_2
1
2
3
5
4
6
Yes, you can do this, but given the example in the original question:
field_1 field_2
1 2
3 4
5 6
Your solution would end up with 3 events, not 6. And your 3 events would have a multi-valued field named output
. Nothing wrong with that, but it might be hard to work with, depending on what you wanted to do next.
BTW, if you wanted, you could also create field aliases that would make your renames "permanent" so that you don't have to do the renames every time.
Better answer:
yoursearchhere |
eval output = toString(field1) + ";" + toString(field2) |
makemv delim=";" output |
mvexpand output
This assumes that field1 and field2 are numeric. If they are not, you can use the following instead:
yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output
Note that a semicolon (;) is used as a delimiter, so a semicolon cannot appear in either field1 or field2.
Note that the tostring()
is not necessary if you use the proper concatenation character .
instead of the ambiguous +
.
This solution assumes that you are starting with field1 and field2 not multivalue.
If field1 is multivalued, you can do this:
eval output = mvappend(field1,field2)
To remove nulls:
eval output = mvfilter(output!=null())
@lguinn2 Make this a comment so that it can be accepted as an answer. I found this to be correct.
Nice learning experience. Thanks.