https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/613971#M213355 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249673">@siriosus</a>&nbsp;</P><P>I have designed some sample searches for you.</P><P>for your first scenario please try this.</P><LI-CODE lang="markup">YOUR_BASE_SEARCH | foreach *_* [ eval sg= mvappend(sg,"&lt;&lt;MATCHSEG1&gt;&gt;"), sgvalue=mvappend(sgvalue,'&lt;&lt;MATCHSEG1&gt;&gt;'), sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;) ] | eval t = mvzip(mvzip(sg,sgvalue),sgapproval) | stats count by t | eval sg=mvindex(split(t,","),0),sg_value=mvindex(split(t,","),1),sg_approval=mvindex(split(t,","),2) | fields - t,count</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="sg1 sg1_approval sg2 sg2_approval sg3 sg3_approval value1 approved value2 not approved value3 delayed value11 approved1 value21 not approved1 value31 delayed1" | multikv forceheader=1 | table sg1 sg1_approval sg2 sg2_approval sg3 sg3_approval | rename comment as "upto this is sample data" | foreach *_* [ eval sg= mvappend(sg,"&lt;&lt;MATCHSEG1&gt;&gt;"), sgvalue=mvappend(sgvalue,'&lt;&lt;MATCHSEG1&gt;&gt;'), sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;) ] | eval t = mvzip(mvzip(sg,sgvalue),sgapproval) | stats count by t | eval sg=mvindex(split(t,","),0),sg_value=mvindex(split(t,","),1),sg_approval=mvindex(split(t,","),2) | fields - t,count</LI-CODE><P>&nbsp;</P><P><STRONG>Screen</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-09-21 at 11.29.32 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21591iAC068EF1199E9C35/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-09-21 at 11.29.32 PM.png" alt="Screenshot 2022-09-21 at 11.29.32 PM.png" /></span></P><P>&nbsp;</P><P>For your second scenario</P><LI-CODE lang="markup">YOUR_BASE_SEARCH | foreach *_a* [ eval sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;), sgnow= mvappend(sgnow,'&lt;&lt;MATCHSEG1&gt;&gt;_now') ] | eval t = mvzip(sgapproval,sgnow) | stats count by t | eval sg_approval=mvindex(split(t,","),0),sg_now=mvindex(split(t,","),1) |stats sum(sg_now) as sg_now by sg_approval</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="sg1 sg1_approval sg1_now sg2 sg2_approval sg2_now sg3 sg3_now sg3_approval value1 approved 4 value2 not approved 2 value3 5 delayed value2 not approved 3 value3 approved 5 value4 1 approved" | multikv forceheader=1 | table sg1 sg1_approval sg1_now sg2 sg2_approval sg2_now sg3 sg3_approval sg3_now | rename comment as "upto this is sample data" | foreach *_a* [ eval sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;), sgnow= mvappend(sgnow,'&lt;&lt;MATCHSEG1&gt;&gt;_now') ] | eval t = mvzip(sgapproval,sgnow) | stats count by t | eval sg_approval=mvindex(split(t,","),0),sg_now=mvindex(split(t,","),1) |stats sum(sg_now) as sg_now by sg_approval</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-09-21 at 11.31.21 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21592i91CB8B42CABE280D/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-09-21 at 11.31.21 PM.png" alt="Screenshot 2022-09-21 at 11.31.21 PM.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>I hope this will help you.</P><P>&nbsp;</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P><P>&nbsp;</P> Wed, 21 Sep 2022 18:01:41 GMT kamlesh_vaghela 2022-09-21T18:01:41Z https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/613962#M213351 <P>Hello dear Splunk experts!</P><P>I've stuck with one search and can't figure how to do this.&nbsp;</P><P>Did a lot of searching here on this friendly community but couldn't find the answer despite that saw a lot of similar tasks with solutions.</P><P>I have a dataset like this:</P><TABLE width="422"><TBODY><TR><TD width="46">sg1</TD><TD width="108">sg1_approval</TD><TD width="46">sg2</TD><TD width="89">sg2_approval</TD><TD width="46">sg3</TD><TD width="87">sg3_approval</TD></TR><TR><TD>value1</TD><TD>approved</TD><TD>value2</TD><TD>not approved</TD><TD>value3</TD><TD>delayed</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>And I want to get something like this:</P><TABLE width="240"><TBODY><TR><TD width="64">sg</TD><TD width="87">sg_value</TD><TD width="89">sg_approval</TD></TR><TR><TD>sg1</TD><TD>value1</TD><TD>approved</TD></TR><TR><TD>sg2</TD><TD>value2</TD><TD>not approved</TD></TR><TR><TD>sg3</TD><TD>value3</TD><TD>delayed</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>What is the best way to achieve this?</P><P>I've found some examples around transpose, eval or stats functions but these didn't solve my task completely.</P><P>And to add a bit of complexity to this task - how to calculate sum of particular cells in rows with particular values of columns. I have this dataset:</P><TABLE width="637"><TBODY><TR><TD width="46">sg1</TD><TD width="87">sg1_approval</TD><TD width="87">sg1_now</TD><TD width="46">sg2</TD><TD width="89">sg2_approval</TD><TD width="89">sg2_now</TD><TD width="46">sg3</TD><TD width="60">sg2_now</TD><TD width="87">sg3_approval</TD></TR><TR><TD>value1</TD><TD>approved</TD><TD>4</TD><TD>value2</TD><TD>not approved</TD><TD>2</TD><TD>value3</TD><TD>5</TD><TD>delayed</TD></TR><TR><TD>value2</TD><TD>not approved</TD><TD>3</TD><TD>value3</TD><TD>approved</TD><TD>5</TD><TD>value4</TD><TD>1</TD><TD>approved</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>And want to extract it as:</P><TABLE width="174"><TBODY><TR><TD width="87">sg_approval</TD><TD width="87">sg_now</TD></TR><TR><TD>approved</TD><TD>10</TD></TR><TR><TD>not approved</TD><TD>5</TD></TR><TR><TD>delayed</TD><TD>5</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>So that sg_now column contains sum of all values in sg1_now, sg2_now and sg3_now sorted by&nbsp;sg1_approval,&nbsp;sg2_approval and&nbsp;sg3_approval.</P><P>Thank you very much in advance!</P><P>Regards</P> Wed, 21 Sep 2022 16:44:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/613962#M213351 siriosus 2022-09-21T16:44:19Z https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/613971#M213355 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249673">@siriosus</a>&nbsp;</P><P>I have designed some sample searches for you.</P><P>for your first scenario please try this.</P><LI-CODE lang="markup">YOUR_BASE_SEARCH | foreach *_* [ eval sg= mvappend(sg,"&lt;&lt;MATCHSEG1&gt;&gt;"), sgvalue=mvappend(sgvalue,'&lt;&lt;MATCHSEG1&gt;&gt;'), sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;) ] | eval t = mvzip(mvzip(sg,sgvalue),sgapproval) | stats count by t | eval sg=mvindex(split(t,","),0),sg_value=mvindex(split(t,","),1),sg_approval=mvindex(split(t,","),2) | fields - t,count</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="sg1 sg1_approval sg2 sg2_approval sg3 sg3_approval value1 approved value2 not approved value3 delayed value11 approved1 value21 not approved1 value31 delayed1" | multikv forceheader=1 | table sg1 sg1_approval sg2 sg2_approval sg3 sg3_approval | rename comment as "upto this is sample data" | foreach *_* [ eval sg= mvappend(sg,"&lt;&lt;MATCHSEG1&gt;&gt;"), sgvalue=mvappend(sgvalue,'&lt;&lt;MATCHSEG1&gt;&gt;'), sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;) ] | eval t = mvzip(mvzip(sg,sgvalue),sgapproval) | stats count by t | eval sg=mvindex(split(t,","),0),sg_value=mvindex(split(t,","),1),sg_approval=mvindex(split(t,","),2) | fields - t,count</LI-CODE><P>&nbsp;</P><P><STRONG>Screen</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-09-21 at 11.29.32 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21591iAC068EF1199E9C35/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-09-21 at 11.29.32 PM.png" alt="Screenshot 2022-09-21 at 11.29.32 PM.png" /></span></P><P>&nbsp;</P><P>For your second scenario</P><LI-CODE lang="markup">YOUR_BASE_SEARCH | foreach *_a* [ eval sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;), sgnow= mvappend(sgnow,'&lt;&lt;MATCHSEG1&gt;&gt;_now') ] | eval t = mvzip(sgapproval,sgnow) | stats count by t | eval sg_approval=mvindex(split(t,","),0),sg_now=mvindex(split(t,","),1) |stats sum(sg_now) as sg_now by sg_approval</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="sg1 sg1_approval sg1_now sg2 sg2_approval sg2_now sg3 sg3_now sg3_approval value1 approved 4 value2 not approved 2 value3 5 delayed value2 not approved 3 value3 approved 5 value4 1 approved" | multikv forceheader=1 | table sg1 sg1_approval sg1_now sg2 sg2_approval sg2_now sg3 sg3_approval sg3_now | rename comment as "upto this is sample data" | foreach *_a* [ eval sgapproval= mvappend(sgapproval,&lt;&lt;FIELD&gt;&gt;), sgnow= mvappend(sgnow,'&lt;&lt;MATCHSEG1&gt;&gt;_now') ] | eval t = mvzip(sgapproval,sgnow) | stats count by t | eval sg_approval=mvindex(split(t,","),0),sg_now=mvindex(split(t,","),1) |stats sum(sg_now) as sg_now by sg_approval</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-09-21 at 11.31.21 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21592i91CB8B42CABE280D/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-09-21 at 11.31.21 PM.png" alt="Screenshot 2022-09-21 at 11.31.21 PM.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>I hope this will help you.</P><P>&nbsp;</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P><P>&nbsp;</P> Wed, 21 Sep 2022 18:01:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/613971#M213355 kamlesh_vaghela 2022-09-21T18:01:41Z https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/614015#M213372 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;</P><P>Thank you very much for your efforts in helping with this!&nbsp;</P><P>Your examples do exactly what I was trying to achieve.</P><P>I'm new to Splunk and see that sky is the limit to SPL searching capabilities and transformations of data it is&nbsp; able to perform, but it requires some practice to master.</P><P>Your solution is great instance how exact examples (which are not always presented and obvious in the documentation) can help to understand SPL for newbies.</P><P>Thanks again!</P><P>Regards</P><P>&nbsp;</P> Thu, 22 Sep 2022 06:10:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/614015#M213372 siriosus 2022-09-22T06:10:22Z https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/614025#M213376 <P>Glad to help you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249673">@siriosus</a>&nbsp;</P><P>&nbsp;</P><P>Happy Splunking</P><P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Thu, 22 Sep 2022 06:43:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-rows-into-columns-from-rows-values/m-p/614025#M213376 kamlesh_vaghela 2022-09-22T06:43:01Z