How to split a column into multiple columns?

dojiepreji — Wed, 29 May 2019 11:25:10 GMT

Hi,

I have a table that looks like this:

name       | count
score1and2 | 1
score1     | 2
score2     | 2
missed1and2| 3
missed1    | 2
missed2    | 2

I want to arrange the table like this:

name       | count     |  name       | count
score1and2 | 1         | missed1and2 | 3
score1     | 2         | missed1     | 2
score2     | 2         | missed2     | 2

I've tried using chart and tried different arrangements of by and over clauses but to no avail.
Any help would be appreciated. Thank you.

Re: How to split a column into multiple columns?

tomaszdziwok — Wed, 29 May 2019 12:36:42 GMT

Hi dopjiepreji,

Unfortunately, doing exactly what you want is impossible in Splunk. There is no way that you can have duplicate column names in standard SPL (although you might be able to do it in XML of a dashboard).

The following SPL should be very close to what you wanted, but it's a bit "hacky" so I wouldn't recommend this approach.

| search name=missed*
| sort name
| appendcols [
 | search name=score*
 | sort name
 | rename name as name1, count as count1
]
| table name, count, name1, count1

This search is slightly different from what you requested, but it is much more the "Splunk way".

| rex field=name "(?<class>missed|score)(?<type>.*)"
| stats sum(count) as count by type, class
| xyseries class, type, count

Hopefully you can find a way to make this work better with your real data. I had to use "|rex" to extract information from "name" in the sample you provided to get it working.

topic Re: How to split a column into multiple columns? in Splunk Search

How to split a column into multiple columns?

Re: How to split a column into multiple columns?