|
How can I consolidate 2 or more fields into one new field at search time? e.g. ...| fields a,b,c | d In the above I would like d to hold all values in fields a,b,c so what I am doing is creating a new field called d out of the fields a,b and c. Is this possible? |
|
If you want them all concatenated, then you can do:
If you want a multi-value field, you could do something like this (assuming that you don't have
If you are trying to get a single value when a, b, or c could be null (or missing), then you can use:
Are any of these what you are looking for? eval d=coalesce(a,b,c) This worked a treat, single value when a,b or c wcould be null (or missing) Perfect thanks
(28 Apr '10, 17:45)
Josh
|
|
Also, if you want to create a single multi-valued field, you would concatenate the values with a delimiter as in one of the other answers, and then use the Is there an advantage to using
(28 Apr '10, 18:31)
Lowell ♦
No, it's the same.
(28 Apr '10, 19:57)
gkanapathy ♦
|
|
Eval command could do this: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Eval
Also, the nomv command might be helpful for your use case: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Nomv |
If your intention ultimately is to get statistics or data about each unique combination of a, b and c, then its easier to do things like "stats avg(foo) values(bar) by a, b, c".