I got 2 fields from same splunk index
field1 have rows 1,2,3,4,5 and field2 have rows 10,12
I want new field3 with data from both field1 and field2.
Please suggest.
field1 | field2 | |
1 | 10 | |
2 | 12 | |
3 | ||
4 | ||
5 |
field3 |
1 |
2 |
3 |
4 |
5 |
10 |
12 |
Notice that your requested output has more rows than the original input rows. To do this would require some sort of transformation, one way could to use an mvexpand method and would look something like this.
<base_search>
| eval
field3=mvappend(field1, field2)
| fields + field3
| mvexpand field3
| sort 0 +field3
You can see in the screenshot that field3 is in your requested format
Full SPL to replicate
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
``` mvexpand method ```
| eval
field3=mvappend(field1, field2)
| mvexpand field3
| sort 0 +field3
Another method would be append (subsearches can be truncated if you hit any splunk limits)
something like this
<base_search> field1=*
| eval
field3='field1'
| fields + field3
| append
[
| search <base_search> field2=*
| eval
field3='field2'
| fields + field3
]
Full SPL to replicate
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
| search field1=*
| eval
field3='field1'
``` append method ```
| append
[
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
| search field2=*
| eval
field3='field2'
]
I bet there is also a slick way of using appendpipe command to achieve this as well.
<base_search>
| appendpipe
[
| stats
values(field2) as field2
]
| eval
field3=coalesce(field1, field2)
| mvexpand field3
output looks like this
Full SPL to replicate
| makeresults count=5
| streamstats
count as field1
| eval
field2=case(
'field1'==1, 10,
'field1'==2, 12,
True(), null()
)
| fields - _time
``` appendpipe method ```
| appendpipe
[
| stats
values(field2) as field2
]
| eval
field3=coalesce(field1, field2)
| mvexpand field3