https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487263#M193809 <P>What is the problem are you trying to solve? Creating many fields like this is rarely a good idea.</P> Tue, 14 Jan 2020 18:06:10 GMT jpolvino 2020-01-14T18:06:10Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487262#M193808 <P>time = 9:30 <BR /> 10:30<BR /> 11:30<BR /> Currently I am doing this <BR /> | eval first.time=mvindex(time, 1), second.time=mvindex(time, 2), third.time=mvindex(time, 3)</P> <P>This will give me first.time = 9:30, second.time= 10:30, third.time=11:30 fields moved from time field where it is a multivalued field. If i have <STRONG>undefined number of fields</STRONG> under this what should I do to automate it? instead of hardcoding it like | eval first.time=mvindex(time, 1), second.time=mvindex(time, 2), third.time=mvindex(time, 3) fourth.time=mvindex(time,4)............hundred.time=mvindex(time,100)</P> Tue, 14 Jan 2020 16:38:57 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487262#M193808 praneeth2050 2020-01-14T16:38:57Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487263#M193809 <P>What is the problem are you trying to solve? Creating many fields like this is rarely a good idea.</P> Tue, 14 Jan 2020 18:06:10 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487263#M193809 jpolvino 2020-01-14T18:06:10Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487264#M193810 <P>So, I am trying to create a Splunk report with the changes in time and changes in other fields. The data I receive will have multiple time fields. For now i have only 3 time fields. In the future, I may even have 10 or 20-time fields... In the case of hardcoding using mvindex is there any alternative? </P> <P>PS: I have extracted this multivalued field using REGEX</P> Tue, 14 Jan 2020 18:20:58 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487264#M193810 praneeth2050 2020-01-14T18:20:58Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487265#M193811 <P>@niketnilay is it possible to help me out here? </P> Wed, 15 Jan 2020 13:00:01 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487265#M193811 praneeth2050 2020-01-15T13:00:01Z https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487266#M193812 <PRE><CODE>| makeresults count=100 | streamstats current=f count | eval time = (random() % 23).":30" | stats list(time) as time `comment("this is sample data, please check this")` | eval counter=mvrange(0,mvcount(time)) | stats list(time) as time by counter | eval time=mvindex(time,counter) | sort 0 counter | transpose 0 header_field=counter column_name=_col | foreach * [rename &lt;&lt;FIELD&gt;&gt; as time_&lt;&lt;MATCHSTR&gt;&gt;] </CODE></PRE> <P>Hi, @praneeth2050<BR /> It's a boring name, but it works.</P> Wed, 15 Jan 2020 13:44:24 GMT https://community.splunk.com/t5/Splunk-Search/I-m-trying-to-move-fields-from-multi-value-fields-using-mvindex/m-p/487266#M193812 to4kawa 2020-01-15T13:44:24Z