https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448036#M126979 <P>Dear Experts,<BR /> Please provide a valuable solution for my problem.</P> <P>I am having the fields from JSON which is having multivalue fields as below. In below example Department field having three values and Projects field having 5 values. I want expand this.</P> <P>Name | EMP NO | Department | projects<BR /> ABCS | 1234567 | CS12345678 | PROJ1<BR /> | | AB12345678 | PROJ2<BR /> | | AB55555555 | PROJ3<BR /> | | | PROJ4<BR /> | | | PROJ5</P> <P>I need output like the below<BR /> Name | EMP NO | Department | projects<BR /> ABCS | 1234567 | CS12345678 | PROJ1<BR /> ABCS | 1234567 | AB12345678 | PROJ2<BR /> ABCS | 1234567| AB55555555 | PROJ3<BR /> ABCS | 1234567 | NULL | PROJ4<BR /> ABCS | 1234567 | NULL | PROJ5</P> Wed, 06 Jun 2018 17:39:16 GMT Rajkumarkbm22 2018-06-06T17:39:16Z https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448036#M126979 <P>Dear Experts,<BR /> Please provide a valuable solution for my problem.</P> <P>I am having the fields from JSON which is having multivalue fields as below. In below example Department field having three values and Projects field having 5 values. I want expand this.</P> <P>Name | EMP NO | Department | projects<BR /> ABCS | 1234567 | CS12345678 | PROJ1<BR /> | | AB12345678 | PROJ2<BR /> | | AB55555555 | PROJ3<BR /> | | | PROJ4<BR /> | | | PROJ5</P> <P>I need output like the below<BR /> Name | EMP NO | Department | projects<BR /> ABCS | 1234567 | CS12345678 | PROJ1<BR /> ABCS | 1234567 | AB12345678 | PROJ2<BR /> ABCS | 1234567| AB55555555 | PROJ3<BR /> ABCS | 1234567 | NULL | PROJ4<BR /> ABCS | 1234567 | NULL | PROJ5</P> Wed, 06 Jun 2018 17:39:16 GMT https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448036#M126979 Rajkumarkbm22 2018-06-06T17:39:16Z https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448037#M126980 <P>Do post your json - it might be possible to extract the values correctly right away.</P> Wed, 06 Jun 2018 22:16:36 GMT https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448037#M126980 martin_mueller 2018-06-06T22:16:36Z https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448038#M126981 <P>See the below question: same scenario</P> <P><A href="https://answers.splunk.com/answers/663556/how-to-expand-multi-value-fields-with-different-fo.html?minQuestionBodyLength=80">https://answers.splunk.com/answers/663556/how-to-expand-multi-value-fields-with-different-fo.html?minQuestionBodyLength=80</A></P> Thu, 07 Jun 2018 07:16:05 GMT https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448038#M126981 Rajkumarkbm2 2018-06-07T07:16:05Z https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448039#M126982 <P>I start with the assumption that you have a single record that has Name="ABCS", EmpNo="1234567", Department= a multivalue field with three values, Projects= a multivalue field with 5 values.</P> <PRE><CODE>your search here | table Name EmpNo Department Projects | streamstats count as recNo | eval numRecs=If(mvcount(Department)&gt;mvcount(Projects),mvcount(Department),mvcount(Projects) | eval myFan=mvrange(0,numRecs) | mvexpand myFan | eval Department=case(myFan&lt;mvcount(Department),mvindex(Department,myFan), true(),"NULL") | eval Projects=case(myFan&lt;mvcount(Department),mvindex(Department,myFan), true(),"NULL") </CODE></PRE> <P>Now you have five separate records as requested.</P> <P>The <CODE>recNo</CODE> field is a record number in case you ever want to put them back together again. You can also use it (if desired) for break logic. That could look something like this...</P> <PRE><CODE>your search here | table Name EmpNo Department Projects | streamstats count as recNo | eval numRecs=If(mvcount(Department)&gt;mvcount(Projects),mvcount(Department),mvcount(Projects) | eval nextRec=numRecs+1 | eval myFan=mvrange(0,nextRec) | mvexpand myFan | eval Department=case(myFan&lt;mvcount(Department),mvindex(Department,myFan), myFan=numRecs,"", true(),"NULL") | eval Projects=case(myFan&lt;mvcount(Department),mvindex(Department,myFan), myFan=numRecs,"", true(),"NULL") | eval Name=case(myFan=numRecs,"", true(),Name) | eval EmpNo=case(myFan=numRecs,"", true(),EmpNo) </CODE></PRE> Thu, 07 Jun 2018 15:34:57 GMT https://community.splunk.com/t5/Splunk-Search/how-to-expand-multi-value-fields-with-different-values-in-column/m-p/448039#M126982 DalJeanis 2018-06-07T15:34:57Z