https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431120#M123237 <P>@renjith.nair Yes it works. Many thanks. Did a stupid spelling mistake. </P> Fri, 21 Jun 2019 12:37:04 GMT vbotnari1 2019-06-21T12:37:04Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431116#M123233 <P>Hi</P> <P>I have the following table:</P> <PRE><CODE>IP | Event | Bad 10.10.10.1 | fail | 10.10.10.1 | | malicious </CODE></PRE> <P>The result should look like 10.10.10.1 fail malicious.<BR /> I have to display the IP value only if it has both Event and bad values</P> <P>In my search, an IP cannot have both Event and Bad values in the same row. I need to extract from the table if the same IP has both Event and Bad values in different rows and they display as I single row with all values. I hope this makes sense</P> Fri, 21 Jun 2019 11:11:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431116#M123233 vbotnari1 2019-06-21T11:11:38Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431117#M123234 <P>@vbotnari1 </P> <P>Try</P> <PRE><CODE>"your current search" | stats values(Event) as Event,values(Bad) as Bad by IP | where isnotnull(Event) AND isnotnull(Bad) </CODE></PRE> Fri, 21 Jun 2019 11:31:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431117#M123234 renjith_nair 2019-06-21T11:31:58Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431118#M123235 <P>@renjith.nair Thank you. But your search works for rows with both values.<BR /> In my search an IP cannot have both Event and Bad values in the same row. I need to extract from the table if the same IP has both Event and Bad values in different rows and them display as I single row with all values. I hope this makes sens </P> Fri, 21 Jun 2019 11:51:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431118#M123235 vbotnari1 2019-06-21T11:51:21Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431119#M123236 <P>@vbotnari1,<BR /> Yes the second line <CODE>stats</CODE> should do this for you. It picks up both values from events and group it with IP Isn't working ?</P> <P>Here is the dummy search I used</P> <PRE><CODE>| makeresults | eval IP="10.10.10.1 10.10.10.1 10.10.10.2 10.10.10.2"| makemv IP| mvexpand IP | appendcols [| makeresults | eval Event="Fail,,,Fail,," | makemv Event delim=","| mvexpand Event] | appendcols [| makeresults| eval Bad=" ,malicious,,virus,"| makemv Bad delim=","| mvexpand Bad] | table IP,Event,Bad | eval Bad=if(Bad==" ",null(),Bad)| eval Event=if(Event==" ",null(),Event) </CODE></PRE> <P>and then the <CODE>stats</CODE> and <CODE>where</CODE> added to it</P> <PRE><CODE> | stats values(Event) as Event,values(Bad) as Bad by IP | where isnotnull(Event) AND isnotnull(Bad) </CODE></PRE> <P>Please let me know if it's not matching with your dataset</P> Fri, 21 Jun 2019 12:23:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431119#M123236 renjith_nair 2019-06-21T12:23:57Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431120#M123237 <P>@renjith.nair Yes it works. Many thanks. Did a stupid spelling mistake. </P> Fri, 21 Jun 2019 12:37:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-row-with-all-values/m-p/431120#M123237 vbotnari1 2019-06-21T12:37:04Z