https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467174#M80516 <P>@ea7777777 try the following run anywhere example based on the sample data provided. Commands till <CODE>| fields _raw</CODE> generate data, you can pipe the command from <CODE>| eval ...</CODE> and validate the output with your query.</P> <PRE><CODE>| makeresults | eval _raw="2020/02/14/16:12:28:872 MachineNumber=\"K003991_HT\" Pass=\"FPPF\"" | KV | fields - _raw | eval Pass=replace(replace(Pass,"(\w{1})","\1,"),",$","") | makemv Pass delim="," | mvexpand Pass </CODE></PRE> Sat, 15 Feb 2020 19:44:59 GMT niketn 2020-02-15T19:44:59Z https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467173#M80515 <P>Hi, </P> <P>I´ve got this event -&gt;</P> <BLOCKQUOTE> <P>2020/02/14/16:12:28:872<BR /> MachineNumber="K003991_HT"<BR /> Pass="FPPPPPPFPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP"</P> </BLOCKQUOTE> <P>Each position of the pass value gives an pass or fail for one position (1..80 but can also be only 1..45). </P> <P>For example Pass="FPPF" says -&gt;</P> <P>Position_1 = Fail<BR /> Position_2 = Pass<BR /> Position_3 = Pass<BR /> Position_4 = Fail</P> <P>Now I want to buld an table to show which position has how much fails of all events. How to do this?</P> <P>One possibility could be to use mvexpand and build more events. </P> <P>For example, build from this -&gt;</P> <BLOCKQUOTE> <P>2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="FPPF"</P> </BLOCKQUOTE> <P>that events -&gt;</P> <BLOCKQUOTE> <P>2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Fail" Position="1"<BR /> 2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Pass" Position="2"<BR /> 2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Pass" Position="3"<BR /> 2020/02/14/16:12:28:872 MachineNumber="K003991_HT" Pass="Fail" Position="4"</P> </BLOCKQUOTE> <P>...but how is it possible do do this? Or is there an other possibility to buld my table? Thanks!</P> Wed, 30 Sep 2020 04:06:54 GMT https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467173#M80515 ea7777777 2020-09-30T04:06:54Z https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467174#M80516 <P>@ea7777777 try the following run anywhere example based on the sample data provided. Commands till <CODE>| fields _raw</CODE> generate data, you can pipe the command from <CODE>| eval ...</CODE> and validate the output with your query.</P> <PRE><CODE>| makeresults | eval _raw="2020/02/14/16:12:28:872 MachineNumber=\"K003991_HT\" Pass=\"FPPF\"" | KV | fields - _raw | eval Pass=replace(replace(Pass,"(\w{1})","\1,"),",$","") | makemv Pass delim="," | mvexpand Pass </CODE></PRE> Sat, 15 Feb 2020 19:44:59 GMT https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467174#M80516 niketn 2020-02-15T19:44:59Z https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467175#M80517 <PRE><CODE>| makeresults | eval _raw="2020/02/14/16:12:28:872 MachineNumber=\"K003991_HT\" Pass=\"FPPPPPPFPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP\"" | rex "(?&lt;time&gt;^\S+)" | eval _time=strptime(time,"%Y/%m/%d/%T.%3Q") | kv | table _time MachineNumber Pass | eval Pass=split(Pass,"") | mvexpand Pass | streamstats count as Position </CODE></PRE> <P>Hi, folks<BR /> The detail:</P> <OL> <LI> <CODE>kv</CODE> extracts <EM>key=value</EM></LI> <LI> <CODE>split()</CODE> makes multivalue.</LI> <LI> <CODE>mvexpand</CODE> creates events from multivalue.</LI> <LI> <CODE>streamstats</CODE> makes count named <EM>Position</EM>.</LI> </OL> Sat, 15 Feb 2020 22:49:17 GMT https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467175#M80517 to4kawa 2020-02-15T22:49:17Z https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467176#M80518 <P>Works fine! Thanks!</P> <P>Only change from my side was -&gt;</P> <PRE><CODE> | streamstats count as Position by _time </CODE></PRE> Mon, 17 Feb 2020 16:55:52 GMT https://community.splunk.com/t5/Getting-Data-In/Build-table-by-char-position-in-string/m-p/467176#M80518 ea7777777 2020-02-17T16:55:52Z