https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451792#M127935 <P>I got the desired output by using below command.</P> <PRE><CODE>base search | multikv | table INCIDENT_ID PROBLEM_KEY CREATE_TIME </CODE></PRE> Mon, 10 Sep 2018 09:57:26 GMT twh1 2018-09-10T09:57:26Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451787#M127930 <P>I have an event in the below format.</P> <PRE><CODE>INCIDENT_ID PROBLEM_KEY CREATE_TIME -------------------- ----------------------------------------------------------- ---------------------------------------- 102753 ORA 15064 2018-05-24 15:38:50.242000 -04:00 107689 ORA 29740 2018-05-24 17:04:00.414000 -04:00 112801 ORA 32701 2018-05-24 20:59:14.420000 -04:00 </CODE></PRE> <P>I need this data as <STRONG>INCIDENT_ID</STRONG> field with values (102753, 107689, 112801), and <STRONG>PROBLEM_KEY</STRONG>, <STRONG>CREATE_TIME</STRONG> fields in same way. I used <STRONG>multikv</STRONG> command, but I am not getting the desired result.</P> <PRE><CODE>base search | multikv fields INCIDENT_ID PROBLEM_KEY CREATE_TIME | table INCIDENT_ID PROBLEM_KEY CREATE_TIME </CODE></PRE> Fri, 07 Sep 2018 14:59:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451787#M127930 twh1 2018-09-07T14:59:08Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451788#M127931 <P>@twh1, if its currently displaying as a single row, then try</P> <PRE><CODE>your search|eval z=mvzip(mvzip( INCIDENT_ID ,PROBLEM_KEY,"," ),CREATE_TIME,"," )|fields z|mvexpand z|eval s=split(z,",")|eval INCIDENT_ID=mvindex(s,0),PROBLEM_KEY=mvindex(s,1),CREATE_TIME=mvindex(s,2)|fields INCIDENT_ID,PROBLEM_KEY,CREATE_TIME </CODE></PRE> Fri, 07 Sep 2018 16:45:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451788#M127931 renjith_nair 2018-09-07T16:45:15Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451789#M127932 <P>What's the current output looks like and what should be the expected output?</P> Fri, 07 Sep 2018 20:29:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451789#M127932 somesoni2 2018-09-07T20:29:51Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451790#M127933 <P>Hi @renjith.nair <BR /> I tried above query but didn't get the desired output.</P> Mon, 10 Sep 2018 09:20:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451790#M127933 twh1 2018-09-10T09:20:23Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451791#M127934 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/15147">@somesoni2</a> : </P> <P>I need 3 fileds(INCIDENT_ID, PROBLEM_KEY, CREATE_TIME) should get created at run time. When I use table command to print these fields respective column value should come in that field.</P> Tue, 29 Sep 2020 21:10:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451791#M127934 twh1 2020-09-29T21:10:20Z https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451792#M127935 <P>I got the desired output by using below command.</P> <PRE><CODE>base search | multikv | table INCIDENT_ID PROBLEM_KEY CREATE_TIME </CODE></PRE> Mon, 10 Sep 2018 09:57:26 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-get-tabular-event-with-field-value-pair/m-p/451792#M127935 twh1 2018-09-10T09:57:26Z