Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to combine 3+ fields?

jldebell
Path Finder
‎03-02-2015 12:56 PM

I have three fields name_1, name_2, and name_3 that I would like to combine into one field. There is no guarantee that all three fields will contain information. I was able to locate this eval string.

|eval combined_name=if (isnotnull(name_3),name_1.name_2.name_3,name_1.name_2)

Basically if name_3 is null, name_1 and name_2 combine. This is working great until name_1 or name_2 are null. I tried a number of attempts but I am not coming up with the solution.

Examples:

|eval combined_user=if (isnotnull(name_3),name_1.name_2.name_3,name_1.name_2, name_1)

|eval combined_user=if (isnotnull(name_3)OR(name_2),name_1.name_2.name_3,name_1.name_2, name_1, name_2.name_3)

I also tried the following, but then realized, it will only display the first non-null field.

|eval combined_user=coalesce(name_1.name_2.name_3)

Has anyone had success with the 3+ fields?

Thanks, Jennifer

Reply
1 Solution
Solved! Jump to solution
Solution

mparks11
Path Finder
‎03-02-2015 02:20 PM

| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.name_2.name_3

This will fill a null value for any of name_1, name_2 or name_3, but since you don't want to actually fill the null value with an actual value, just use double quotes. Then your eval should work as expected and combine all three values into one new field for combined_user.

View solution in original post

Reply
Solved! Jump to solution
Solution

mparks11
Path Finder
‎03-02-2015 02:20 PM

| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.name_2.name_3

This will fill a null value for any of name_1, name_2 or name_3, but since you don't want to actually fill the null value with an actual value, just use double quotes. Then your eval should work as expected and combine all three values into one new field for combined_user.

Reply
Solved! Jump to solution

mparks11
Path Finder
‎03-02-2015 02:23 PM

Found another answer as a reference as well! http://answers.splunk.com/answers/61916/concatenating-more-than-one-field.html

Reply
Solved! Jump to solution

proletariat99
Communicator
‎03-02-2015 03:16 PM

Does the "." between the names just put the 3 names on the same line separated by a dot, so that the combined_user is a string like this?

name_1 = "steve"
name_2 = "dave"
name_3 = "buster"

combined_name = "steve.dave.buster"

0 Karma
Reply
Solved! Jump to solution

mparks11
Path Finder
‎03-02-2015 03:35 PM

No, the dot just concatenates the values of each three fields, so it'd be "stevedavebuster". If you wanted "steve.dave.buster" it'd be something like:

| fillnull value="" name_1 name_2 name_3
| eval combined_user=name_1.".".name_2.".".name_3

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...