The Splunk Search Processing Language (SPL for short) provides amazing flexibility for string manipulation in events. While creating your SPL searches you may come across a case where you need to combine the string values in two separate fields variable into one new field variable. This is called concatenation. In this article, we will discuss ways in which you can use concatenation for combining your field strings in an elegant and streamlined manner.
What is Splunk Concatenation?
Concatenation is the combining of two separate values into one single value. In Splunk, you can combine string values from two field variables. This is helpful for manipulation of the string information in a field for the purpose of rending a specific formatted value. Or you can this can be used to create a new field that might be used to filter information from other fields.
What are the benefits of Splunk Concatenation?
Benefit#1
Easily reformat string information inside of a field value.
Benefit#2
Format string information in a way that is used for rendering and/or to configure key string values for use in other searches.
How do you use the Splunk Concatenation feature?
Splunk has a very simple operator for concatenating field values. The concatenation operator is the plus (+) sign. Let us say you have two fields; one called “First_Names” that contains first name values and the second called “Last_Names” and contains last name values. If you wanted to concatenation them into one field called “Full_Names” with a space in between, the command would look like this:
| eval Full_Names = First_Names + ” “ + Last_Names
Notice the double-quote with a space in between the two fields to provide the space character. You could use this to format with a period instead of a space as follows:
| eval Full_Names = First_Names + ”.“ + Last_Names
You could also add static strings information that would give more meaning to the concatenations for formatting a result value as follows:
| eval Full_Names = “The full name is: ” + First_Names + ” “ + Last_Names
An example of using the above SPL options is depicted in this image:
Summary
Splunk Concatenation is a simple and powerful string manipulation function of Splunk SPL that you can start applying to your search queries.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
