topic Re: How to transform a table in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-table/m-p/474466#M192480 <PRE><CODE>| makeresults | eval _raw=" time session event t1 session1 actionA t2 session1 actionB t3 session1 actionC t4 session1 actionA t5 session2 actionB t6 session2 actionC" | multikv forceheader=1 | streamstats count as time_args | eval time_args="+".time_args."h@h-1d" | eval time=relative_time(_time,time_args) | eval _time=time | table _time session event | rename COMMENT as "this is sample you provide. from here, the logic" | streamstats window=2 range(_time) as duration list(event) as event_list count(event) as counts by session | where counts=2 | eval event_list=mvjoin(event_list,",") | stats sum(counts) as count sum(duration) as timetaken by event_list | eval from=mvindex(split(event_list,","),0), to=mvindex(split(event_list,","),1), timetaken=tostring(round(timetaken),"duration") | table from to count timetaken </CODE></PRE> <P>How about this?</P> Thu, 09 Apr 2020 21:28:10 GMT to4kawa 2020-04-09T21:28:10Z How to transform a table https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-table/m-p/474465#M192479 <P>If I have the data in following format:</P> <PRE><CODE>time session event t1 session1 actionA t2 session1 actionB t3 session1 actionC t4 session1 actionA t5 session2 actionB t6 session2 actionC </CODE></PRE> <P>want to write a splunk query to transform it to this format:</P> <PRE><CODE>from to count timetaken actionA actionB 1 (t2-t1) actionB actionC. 2 (t3-t2) + (t5+t6) actionC actionA 1 (t4-t3) </CODE></PRE> <P>can someone recommend an expression for this?</P> Thu, 09 Apr 2020 18:38:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-table/m-p/474465#M192479 dtakacssplunk 2020-04-09T18:38:02Z Re: How to transform a table https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-table/m-p/474466#M192480 <PRE><CODE>| makeresults | eval _raw=" time session event t1 session1 actionA t2 session1 actionB t3 session1 actionC t4 session1 actionA t5 session2 actionB t6 session2 actionC" | multikv forceheader=1 | streamstats count as time_args | eval time_args="+".time_args."h@h-1d" | eval time=relative_time(_time,time_args) | eval _time=time | table _time session event | rename COMMENT as "this is sample you provide. from here, the logic" | streamstats window=2 range(_time) as duration list(event) as event_list count(event) as counts by session | where counts=2 | eval event_list=mvjoin(event_list,",") | stats sum(counts) as count sum(duration) as timetaken by event_list | eval from=mvindex(split(event_list,","),0), to=mvindex(split(event_list,","),1), timetaken=tostring(round(timetaken),"duration") | table from to count timetaken </CODE></PRE> <P>How about this?</P> Thu, 09 Apr 2020 21:28:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-table/m-p/474466#M192480 to4kawa 2020-04-09T21:28:10Z