topic Re: How to Split Row value in single column to multiple row value? in Splunk Search

How to Split Row value in single column to multiple row value?

abhishekpatel2 — Thu, 11 Mar 2021 08:54:51 GMT

I want to split row into multiple row by spliting it under the same column.

Example:-

col1 col2 col3 col4

A,a Z,z B,b X,x

P,p C,c Y,y

V,v

In the above example A,a P,p V,v is in the same row but I want to have it in differet row under column col1.

Re: How to Split Row value in single column to multiple row value?

to4kawa — Thu, 11 Mar 2021 09:38:56 GMT

try mvexpand

Re: How to Split Row value in single column to multiple row value?

abhishekpatel2 — Thu, 11 Mar 2021 09:53:14 GMT

It wont works because I have varied number of column and I want to split for all the 50 columns that are coming in my output.

So can anyone help me with this...

Re: How to Split Row value in single column to multiple row value?

to4kawa — Thu, 11 Mar 2021 10:00:23 GMT

Re: How to Split Row value in single column to multiple row value?

abhishekpatel2 — Thu, 11 Mar 2021 10:03:50 GMT

But in my table the value of columns are not like col1,col2 ,etc it is various Name of security attacks.For example:-(TA0003) Persistence

This is one of the name of column.

So can anyone help me with this.......

Re: How to Split Row value in single column to multiple row value?

to4kawa — Thu, 11 Mar 2021 20:29:06 GMT

index=_internal | head 1 | fields _raw | eval _raw="{\"squadName\":\"Super hero squad\",\"homeTown\":\"Metro City\",\"formed\":2016,\"secretBase\":\"Super tower\",\"active\":true,\"members\":[{\"name\":\"Molecule Man\",\"age\":29,\"secretIdentity\":\"Dan Jukes\",\"powers\":[\"Radiation resistance\",\"Turning tiny\",\"Radiation blast\"]},{\"name\":\"Madame Uppercut\",\"age\":39,\"secretIdentity\":\"Jane Wilson\",\"powers\":[\"Million tonne punch\",\"Damage resistance\",\"Superhuman reflexes\"]},{\"name\":\"Eternal Flame\",\"age\":1000000,\"secretIdentity\":\"Unknown\",\"powers\":[\"Immortality\",\"Heat Immunity\",\"Inferno\",\"Teleportation\",\"Interdimensional travel\"]}]}" | spath | fields - _* | rename *{}.* as *_* | rename *{} as * | table * ``` this is sample data``` ``` from here, the logic ``` | eval tmp="val" | transpose 0 header_field=tmp | streamstats window=1 count(val) as count | eventstats max(count) as count | appendpipe [ eval column="count", val=count] | fields - count | dedup column | transpose 0 header_field=column | fields - column | eval count=mvrange(0,count) | mvexpand count | rename count as _count | foreach * [ eval <<FIELD>> = mvindex(<<FIELD>>,_count)] | fields - _count

It counts fields dynamically, so it could be used anywhere.

Re: How to Split Row value in single column to multiple row value?

abhishekpatel2 — Sun, 14 Mar 2021 12:08:40 GMT

No I don't get the needed output yet.