Refine your search:

Merge two fields into one field

0

I have the following result set coming from a search:

field_1 field_2
 1       2
 3       4
 5       6

I need to merge these two fields into a new field "output":

output
 1
 2
 3
 4
 5
 6

Thanks, Lp

asked 31 May '12, 09:50

lpolo's gravatar image

lpolo
678415
accept rate: 13%

edited 31 May '12, 10:03

ChrisG's gravatar image

ChrisG ♦
2.8k46
3 Answers:
oldestnewestmost voted
6

Better answer:

yoursearchhere |
eval output = toString(field1) + ";" + toString(field2) |
makemv delim=";" output |
mvexpand output

This assumes that field1 and field2 are numeric. If they are not, you can use the following instead:

yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output

Note that a semicolon (;) is used as a delimiter, so a semicolon cannot appear in either field1 or field2.

link

answered 01 Jun '12, 06:41

lguinn's gravatar image

lguinn ♦
11.0k5723
accept rate: 28%

edited 02 Jun '12, 18:20

Nice learning experience. Thanks.

(01 Jun '12, 07:33) lpolo
0

Here is one way- but there is probably something better

yoursearchhere |
rename field1 as output |
append [search yoursearchhere earliest=-24h |
rename field2 as output ]

This runs the search twice...
Notice that I included earliest=-24h for the inner search. Otherwise, this will search over all time - it is not affected by the time selector.

link

answered 31 May '12, 13:45

lguinn's gravatar image

lguinn ♦
11.0k5723
accept rate: 28%

This approach is expensive and might not work when dealing with millions of events. Thanks.

(01 Jun '12, 05:18) lpolo
2

Well give more details. You didn't state that this was going to be used across millions events. Also you need to give more details on the search you're using to generate these fields. Do field1 and field2 belong to the same search result? Do both fields always occur in all events you want to apply this to?

(01 Jun '12, 05:22) Ayn
0

Simply rename the fields to the same name like this and it works! 

yoursearchhere | rename field_1 as output | rename field_2 as output

(I found this after not wanting to deal with delimiters)

link

answered 08 Oct '12, 13:38

e_sherlock's gravatar image

e_sherlock
614
accept rate: 0%

Yes, you can do this, but given the example in the original question:

field_1 field_2 1 2 3 4 5 6

Your solution would end up with 3 events, not 6. And your 3 events would have a multi-valued field named output. Nothing wrong with that, but it might be hard to work with, depending on what you wanted to do next.

BTW, if you wanted, you could also create field aliases that would make your renames "permanent" so that you don't have to do the renames every time.

(08 Oct '12, 21:22) lguinn ♦

True. My specific use case worked as I was dealing with 6 different log events so the source looks like this:

field_1 field_2 1 2 3 5 4 6

(09 Oct '12, 12:54) e_sherlock
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×180
×17

Asked: 31 May '12, 09:50

Seen: 1,786 times

Last updated: 09 Oct '12, 13:05

Related questions

Merge two rows in one

Merge results of two different searches

merge two searches without available fields

how to merge English field name and Chinese field name into one column of table.

concat two fields into one

merge two search results

Combine 2 cols in one

How can I aggregate some values of a field and divide a list into 2 parts?

Copyright © 2005-2012 Splunk Inc. All rights reserved.