https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348558#M103172 <P>The mvexpand command doesn't work on <CODE>_*</CODE> fields (internal/special splunk fields). Try like this</P> <PRE><CODE>| makeresults | eval raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%" | makemv raw delim="#" | mvexpand raw | rex field=raw "(?P&lt;host&gt;[^\%]+)%(?P&lt;Port1&gt;[^\%]+)%(?P&lt;Port2&gt;[^\%]+)%(?P&lt;Port3&gt;[^\%]+)" | table _time host Port1 Port2 Port3 </CODE></PRE> Mon, 18 Dec 2017 18:34:16 GMT somesoni2 2017-12-18T18:34:16Z https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348556#M103170 <P>Hello,</P> <P>I need to spoof some data and am using |makeresults for 3 hosts and their port status of "UP" (and eventually "DOWN")</P> <P>| makeresults<BR /> | eval _raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%"<BR /> | rex max_match=0 "(?P&lt;_raw&gt;[^#]+)"<BR /> | mvexpand _raw<BR /> | table _time _raw<BR /> | rex "(?P[^\%]+)%(?P[^\%]+)%(?P[^\%]+)%(?P[^\%]+)"<BR /> | table _time host Port1 Port2 Port3</P> <P>This gives me 3 lines for the result but _time shows only on the first result for "host1"</P> <P>Question: How do I get the above search show _time for the all 3 results?</P> <P>Thank you.</P> Tue, 29 Sep 2020 17:18:32 GMT https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348556#M103170 sbowser_splunk 2020-09-29T17:18:32Z https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348557#M103171 <P>answers were posted in the slack channel</P> Mon, 18 Dec 2017 18:32:17 GMT https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348557#M103171 DalJeanis 2017-12-18T18:32:17Z https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348558#M103172 <P>The mvexpand command doesn't work on <CODE>_*</CODE> fields (internal/special splunk fields). Try like this</P> <PRE><CODE>| makeresults | eval raw = "host1%UP%UP%UP%#host2%UP%UP%UP%#host3%UP%UP%UP%" | makemv raw delim="#" | mvexpand raw | rex field=raw "(?P&lt;host&gt;[^\%]+)%(?P&lt;Port1&gt;[^\%]+)%(?P&lt;Port2&gt;[^\%]+)%(?P&lt;Port3&gt;[^\%]+)" | table _time host Port1 Port2 Port3 </CODE></PRE> Mon, 18 Dec 2017 18:34:16 GMT https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348558#M103172 somesoni2 2017-12-18T18:34:16Z https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348559#M103173 <P>okay, to give you three events, each with the _time, host, and one of the ports, you can do either of these</P> <PRE><CODE>| eval myports=mvappend("Port1=".Port1."Port2=".Port2."Port3=".Port3) | table _time host myports | mvexpand myports | rex field=myports "(?&lt;myport&gt;[^=]+)=(?&lt;myvalue&gt;.*)$) | eval {myport} = myvalue | fields - myports myport myvalue </CODE></PRE> <P>This first one gives you a record that looks like <CODE>| table _time host Port*</CODE> where Port* is either Port1, Port2 or Port3.</P> <P>OR </P> <PRE><CODE>| streamstats count as recno | rename _time as time | untable recno portname portvalue | eventstats min(eval(if(portname="time",portvalue)) as _time min(eval(if(portname="host",portvalue)) as host by recno | where portname!="time" AND portname!="host" </CODE></PRE> <P>This second one gives a record that looks like</P> <PRE><CODE>| table _time host portname portvalue </CODE></PRE> Mon, 18 Dec 2017 18:38:19 GMT https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348559#M103173 DalJeanis 2017-12-18T18:38:19Z https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348560#M103174 <P>Thank you for all of these tips!</P> Mon, 18 Dec 2017 19:08:17 GMT https://community.splunk.com/t5/Splunk-Search/Need-time-on-each-event-for-a-makeresults/m-p/348560#M103174 sbowser_splunk 2017-12-18T19:08:17Z