Splunk Enterprise SPL search combine multiple field values into 1 field

Question

I have the following log line:

{"date_time":"20220902-12:20:20.628640865","severity":"INFO","origin":"CME","pipeline":"cme_channel_310","mdflow_core_version":"1.1.0","mdflow_msgapi_version":"2.2.0","mdflow_apps_version":"3.3.0","alias_name":"PROD","num_instruments":"10000"}

I want to display (in table format) the origin and versions like so:

Origin   Versions
CME      1.1.0/2.2.0/3.3.0

I am "close" with using strcat and creating the versionCombo field. Here is my full query...

| spath 
| strcat mdflow_core_version "/" mdflow_msgapi_version "/" mdflow_apps_version versionCombo
| stats values(origin) as Origin values(versionCombo) as Versions

The above search results in this with multiple lines of somewhat concatenated strings...

Origin   Versions
CME      //
         1.1.0
         1.1.0/2.2.0
         2.2.0/3.3.0
         3.3.0

I need it be all on one line with the value: "1.1.0/2.2.0/3.3.0". Any help here would be appreciated. Thank you in advance!

score 0 · Answer 1 · answered Sep 02 '22 at 20:27

0

What version of Splunk are you using? Is there anything about the data or the query you haven't shared? The query works fine on both of my sandbox systems.

answered Sep 02 '22 at 20:27

RichG

9,063
2
18
29

Version 8.1.4. That is very interesting. No, there is nothing else - literally what I posted above is the log line and the spl query. This is sent through a universal forwarder. I will post the config of the forwarder. – g t Sep 06 '22 at 14:28

score 0 · Answer 2 · edited Sep 16 '22 at 22:50

0

Interestingly, if I remove the | spath, it works.

edited Sep 16 '22 at 22:50

desertnaut

57,590
26
140
166

answered Sep 07 '22 at 02:04

g t

21
4

Splunk Enterprise SPL search combine multiple field values into 1 field

2 Answers2