![]() ![]() Make sure the 2 field names are correct (interfacename,bytesreceived ) V. In the simplest words, the Splunk eval command can be used to calculate an expression and puts the value into a destination field. use mvexpand to populate the actual values, extract the fields using rex. Try to use this form if you can, because it's usually most efficient. Use interfacename,bytesreceived fields and make a single field called temp by using mvzip. I just inherited a small Splunk install at my new job and my sales rep suggested I check our Reddit I have 2 different sources in the same index file. Description The eval command calculates an expression and puts the resulting value into a search results field. If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case. Need to combine 2 different fields into 1, but from different data sources. ![]() Events from the main search and subsearch are paired on a one-to-one basis without regard to any field value. The answers you are getting have to do with testing whether fields on a single event are equal. The appendcols command is a bit tricky to use. Using table command, we have taken two fields called Message1 and Message2. I think you may be making some incorrect assumptions about how things work. In the above query abc is the index and sourcetype name is abc. strcat works great for more than two fields as well. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |