https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525215#M148184 <P>Greetings...</P><P>I have a table that looks like:<BR /><BR />Timestamp | Action | User<BR />YYYY-MM-DD HH:MM:SS| Fail | User1<BR />YYYY-MM-DD HH:MM:SS | Succeed| User2<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR />YYYY-MM-DD HH:MM:SS| Fail| User2<BR /><BR />Is there a way to break this down into separate tables by User such that:<BR />YYYY-MM-DD HH:MM:SS| Fail | User1<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR /><BR />YYYY-MM-DD HH:MM:SS | Succeed| User2<BR />YYYY-MM-DD HH:MM:SS| Fail| User2</P> Sun, 18 Oct 2020 02:00:35 GMT p3hndrx 2020-10-18T02:00:35Z https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525215#M148184 <P>Greetings...</P><P>I have a table that looks like:<BR /><BR />Timestamp | Action | User<BR />YYYY-MM-DD HH:MM:SS| Fail | User1<BR />YYYY-MM-DD HH:MM:SS | Succeed| User2<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR />YYYY-MM-DD HH:MM:SS| Fail| User2<BR /><BR />Is there a way to break this down into separate tables by User such that:<BR />YYYY-MM-DD HH:MM:SS| Fail | User1<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR />YYYY-MM-DD HH:MM:SS| Succeed| User1<BR /><BR />YYYY-MM-DD HH:MM:SS | Succeed| User2<BR />YYYY-MM-DD HH:MM:SS| Fail| User2</P> Sun, 18 Oct 2020 02:00:35 GMT https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525215#M148184 p3hndrx 2020-10-18T02:00:35Z https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525216#M148185 <LI-CODE lang="markup">index=_internal | head 1 | fields _raw | eval _raw="Timestamp | Action | User YYYY-MM-DD HH:MM:SS | Fail | User1 YYYY-MM-DD HH:MM:SS | Succeed | User2 YYYY-MM-DD HH:MM:SS | Succeed | User1 YYYY-MM-DD HH:MM:SS | Succeed | User1 YYYY-MM-DD HH:MM:SS | Fail | User2" | rename COMMENT as "these are your log sample. from here, the logic" | rex mode=sed "s/( \| )/,/g" | multikv forceheader=1 | table Timestamp Action User | sort User | autoregress User | streamstats count as tmp | eval User=mvdedup(mvappend(User,User_p1)) | fields - User_p1 | mvexpand User | streamstats count by tmp | sort User | foreach * [ eval &lt;&lt;FIELD&gt;&gt;=if(count=2,NULL,'&lt;&lt;FIELD&gt;&gt;')] | table Timestamp Action User</LI-CODE><P>It's not easy to open a line.</P> Sun, 18 Oct 2020 02:24:35 GMT https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525216#M148185 to4kawa 2020-10-18T02:24:35Z https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525222#M148189 <P>This gets me pretty close.</P><P>I guess there is no trellis for a stats table.</P> Sun, 18 Oct 2020 05:07:53 GMT https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525222#M148189 p3hndrx 2020-10-18T05:07:53Z https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525225#M148191 <P>That's right, because it wasn't in the request.</P> Sun, 18 Oct 2020 07:09:48 GMT https://community.splunk.com/t5/Splunk-Search/Split-Table-by-Field/m-p/525225#M148191 to4kawa 2020-10-18T07:09:48Z