https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596855#M104188 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245592">@nonya_54</a>&nbsp;- doing it from backend doesn't seem like a straight forward thing.</P><P>How you are collecting the data? If you are collecting it through script or something I would say you do it at that stage.</P><P>Doing it search time sounds still good as it will require less storage and license.</P> Sun, 08 May 2022 17:54:16 GMT VatsalJagani 2022-05-08T17:54:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596769#M104185 <P>I have logs that resemble the table below.</P> <P>index=linux sourcetype=group | table group group_id, users</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%">group</TD> <TD width="33.333333333333336%">group_id</TD> <TD width="33.333333333333336%">users</TD> </TR> <TR> <TD width="33.333333333333336%">splunk</TD> <TD width="33.333333333333336%">1</TD> <TD width="33.333333333333336%">admin, john, jill</TD> </TR> <TR> <TD width="33.333333333333336%">apache</TD> <TD width="33.333333333333336%">2</TD> <TD width="33.333333333333336%">sarah, bill</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I would like the events to be separated by individual users so it looks like the table below. Is there a way to utilize transforms/props to separate the events by each different user?&nbsp;</P> <P>index=linux sourcetype=group | table group group_id, users</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="25px">group</TD> <TD width="33.333333333333336%" height="25px">group_id</TD> <TD width="33.333333333333336%" height="25px">users</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">splunk</TD> <TD width="33.333333333333336%" height="25px">1</TD> <TD width="33.333333333333336%" height="25px">admin</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">splunk</TD> <TD width="33.333333333333336%" height="25px">1</TD> <TD width="33.333333333333336%" height="25px">john</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">splunk</TD> <TD width="33.333333333333336%" height="25px">1</TD> <TD width="33.333333333333336%" height="25px">jill</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">apache</TD> <TD width="33.333333333333336%" height="25px">2</TD> <TD width="33.333333333333336%" height="25px">sarah</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">apache</TD> <TD width="33.333333333333336%" height="25px">2</TD> <TD width="33.333333333333336%" height="25px">bill</TD> </TR> </TBODY> </TABLE> Wed, 01 Apr 2026 16:39:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596769#M104185 nonya_54 2026-04-01T16:39:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596771#M104186 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245592">@nonya_54</a>&nbsp;- Try:</P><LI-CODE lang="markup">index=linux sourcetype=group | table group group_id, users | makemv users delim="," | mvexpand users</LI-CODE><P>&nbsp;</P><P>I hope this helps!!!</P> Fri, 06 May 2022 17:53:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596771#M104186 VatsalJagani 2022-05-06T17:53:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596851#M104187 <P>Hello. Thank you for the response. I would like to be able to utilize the backend of Splunk as opposed to an inline search for the desired results.</P> Sun, 08 May 2022 16:39:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596851#M104187 nonya_54 2022-05-08T16:39:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596855#M104188 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245592">@nonya_54</a>&nbsp;- doing it from backend doesn't seem like a straight forward thing.</P><P>How you are collecting the data? If you are collecting it through script or something I would say you do it at that stage.</P><P>Doing it search time sounds still good as it will require less storage and license.</P> Sun, 08 May 2022 17:54:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596855#M104188 VatsalJagani 2022-05-08T17:54:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596856#M104189 <P>You cannot do that. That's the short answer. There is no sane way of doing auch thing. When the event goes through the whole ingestion/indexing pipeline it is a single event. You can manipulate it, you can redirect it, you can extract fields, overwrite some parts of its data... But you can't split it into multiple events. You cant join multiple events into one either.</P> Sun, 08 May 2022 20:41:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-separate-events-by-using-props-transforms/m-p/596856#M104189 PickleRick 2022-05-08T20:41:36Z