https://community.splunk.com/t5/Splunk-Search/Excel-Like-Pivot-Table/m-p/365871#M107901 <P>I don't think what you are looking for is possible in Splunk in that way. You either have individual lines for each entry, with customer repeated on each line, or you have aggregated results, where there is 1 line per customer.</P> <P>Of course you can cheat, by simply emptying the customer field for each non-first row per customer, by adding the following below your search.</P> <PRE><CODE> | streamstats count by customer | eval customer=if(count=1,customer,"") | fields - count </CODE></PRE> <P>But that does mean you loose the customer field value for those rows, so if you want to do this because you like the way that looks in a report: do it all the way at the end of your search. And it will mean that if someone who opens the report starts sorting the customer column differently, things will also get messed up.</P> Fri, 27 Apr 2018 08:36:46 GMT FrankVl 2018-04-27T08:36:46Z https://community.splunk.com/t5/Splunk-Search/Excel-Like-Pivot-Table/m-p/365870#M107900 <P>I'm trying to figure out how to build an excel-like pivot table using 3 or more columns. As example, I have this data:</P> <PRE><CODE>customer1 project1 note1 customer1 project2 customer1 project3 note2 customer2 project4 note3 customer2 project5 customer2 project6 note4 customer2 project7 note5 customer3 project8 </CODE></PRE> <P>And I want to build a report that looks like this:</P> <PRE><CODE>customer1 project1 note1 project2 project3 note2 customer2 project4 note3 project5 project6 note4 project7 note5 customer3 project8 </CODE></PRE> <P>I've been playing with stats list() and values() and both lose the relationship between the second and third columns. </P> <PRE><CODE>| makeresults 1 | eval pickle="customer1,project1,note1|customer1,project2,|customer1,project3,note2|customer2,project4,note3|customer2,project5,|customer2,project6,note4|customer2,project7,note5|customer3,project8" | eval pickle=split(pickle,"|") | mvexpand pickle | eval pickle=split(pickle,",") | eval customer=mvindex(pickle,0) | eval project=mvindex(pickle,1) | eval note=mvindex(pickle,2) | fields - _time pickle | stats list(project) as project list(note) as note by customer </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4845i7C0C4989039DEF8D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Notice the highlighted notes fall under the wrong project. I get the same behavior with stats values().</P> <P>Is there a way to go about getting a multi column relational list without repeating the customer name in the output?</P> <P>Any ideas anyone has are greatly appreciated!</P> Thu, 26 Apr 2018 23:03:01 GMT https://community.splunk.com/t5/Splunk-Search/Excel-Like-Pivot-Table/m-p/365870#M107900 jperry_intact 2018-04-26T23:03:01Z https://community.splunk.com/t5/Splunk-Search/Excel-Like-Pivot-Table/m-p/365871#M107901 <P>I don't think what you are looking for is possible in Splunk in that way. You either have individual lines for each entry, with customer repeated on each line, or you have aggregated results, where there is 1 line per customer.</P> <P>Of course you can cheat, by simply emptying the customer field for each non-first row per customer, by adding the following below your search.</P> <PRE><CODE> | streamstats count by customer | eval customer=if(count=1,customer,"") | fields - count </CODE></PRE> <P>But that does mean you loose the customer field value for those rows, so if you want to do this because you like the way that looks in a report: do it all the way at the end of your search. And it will mean that if someone who opens the report starts sorting the customer column differently, things will also get messed up.</P> Fri, 27 Apr 2018 08:36:46 GMT https://community.splunk.com/t5/Splunk-Search/Excel-Like-Pivot-Table/m-p/365871#M107901 FrankVl 2018-04-27T08:36:46Z https://community.splunk.com/t5/Splunk-Search/Excel-Like-Pivot-Table/m-p/365872#M107902 <P>I was afraid of that. Thanks for your help!</P> Mon, 30 Apr 2018 14:53:28 GMT https://community.splunk.com/t5/Splunk-Search/Excel-Like-Pivot-Table/m-p/365872#M107902 jperry_intact 2018-04-30T14:53:28Z