https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615323#M213842 <LI-CODE lang="markup">| eval service=split(Services,",") | streamstats count as _row | mvexpand service | eval {service}=service | stats values(*) as * by _row | fields - _row service</LI-CODE> Fri, 30 Sep 2022 07:59:34 GMT ITWhisperer 2022-09-30T07:59:34Z https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615301#M213837 <P>I have the following fields, where some of them might be null, empty, whatnot values.</P><P>I would like to split the Services values, which might have 1-N values separated by a comma, to separate columns/fields prefixed with "Sp.".</P><P>For example:</P><PRE>| makeresults <BR />| eval Platform="p1", Ent="ent1", Ext="100", Fieldx=null(), Fieldy="" , Services="user,role,func1,func2" <BR />| append [<BR />| makeresults <BR />| eval Platform="p1", Ent="ent2", Ext="100", Fieldx="", Fieldy=null(), Services="user2,role2,func4,func8,func5,role3"<BR />]<BR />| fields _time Platform Ent Ext Fieldx Fieldy Services</PRE><P>Gives an example like:</P><TABLE><TBODY><TR><TD>_time</TD><TD>Platform</TD><TD>Ent</TD><TD>Ext</TD><TD>Filedx</TD><TD>Fieldy</TD><TD>Services</TD></TR><TR><TD>2022-09-30 08:56:11</TD><TD>p1</TD><TD>ent1</TD><TD>100</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>user,role,func1,func2</TD></TR><TR><TD>2022-09-30 08:56:11</TD><TD>p1</TD><TD>ent2</TD><TD>100</TD><TD>&nbsp;</TD><TD>&nbsp;</TD><TD>user2,role2,func4,func8,func5,role3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How do I split the Services into a separate fields?</P><P>I think I cannot just use stats list() by "All_fields" due to those possible null values in other fields.</P><TABLE><TBODY><TR><TD width="75.125px">_time</TD><TD width="40px">Platform</TD><TD width="44.4531px">Ent</TD><TD width="40px">Ext</TD><TD width="40px">Fieldx</TD><TD width="40px">Fieldy</TD><TD width="267.594px">Services</TD><TD width="52.875px">Sp.func1</TD><TD width="52.875px">Sp.func2</TD><TD width="52.875px">Sp.func4</TD><TD width="52.875px">Sp.func5</TD><TD width="52.875px">Sp.func8</TD><TD width="40px">Sp.role</TD><TD width="48.2188px">Sp.role2</TD><TD width="48.2188px">Sp.role3</TD><TD width="42.5312px">Sp.user</TD><TD width="52.125px">Sp.user2</TD></TR><TR><TD width="75.125px">2022-09-30 09:07:00</TD><TD width="40px">p1</TD><TD width="44.4531px">ent1</TD><TD width="40px">100</TD><TD width="40px">&nbsp;</TD><TD width="40px">&nbsp;</TD><TD width="267.594px">user,role,func1,func2</TD><TD width="52.875px">func1</TD><TD width="52.875px">func2</TD><TD width="52.875px">&nbsp;</TD><TD width="52.875px">&nbsp;</TD><TD width="52.875px">&nbsp;</TD><TD width="40px">role</TD><TD width="48.2188px">&nbsp;</TD><TD width="48.2188px">&nbsp;</TD><TD width="42.5312px">user</TD><TD width="52.125px">&nbsp;</TD></TR><TR><TD width="75.125px">2022-09-30 09:07:00</TD><TD width="40px">p1</TD><TD width="44.4531px">ent2</TD><TD width="40px">100</TD><TD width="40px">&nbsp;</TD><TD width="40px">&nbsp;</TD><TD width="267.594px">user2,role2,func4,func8,func5,role3</TD><TD width="52.875px">&nbsp;</TD><TD width="52.875px">&nbsp;</TD><TD width="52.875px">func4</TD><TD width="52.875px">func5</TD><TD width="52.875px">func8</TD><TD width="40px">&nbsp;</TD><TD width="48.2188px">role2</TD><TD width="48.2188px">role3</TD><TD width="42.5312px">&nbsp;</TD><TD width="52.125px">user2</TD></TR></TBODY></TABLE><P>&nbsp;</P> Fri, 30 Sep 2022 06:19:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615301#M213837 JykkeDaMan 2022-09-30T06:19:29Z https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615321#M213841 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59853">@JykkeDaMan</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">| makeresults | eval Platform="p1", Ent="ent1", Ext="100", Fieldx=null(), Fieldy="" , Services="user,role,func1,func2" | append [| makeresults | eval Platform="p1", Ent="ent2", Ext="100", Fieldx="", Fieldy=null(), Services="user2,role2,func4,func8,func5,role3" ] | fields _time Platform Ent Ext Fieldx Fieldy Services | eval a=1 | accum a | eval Services_mv = split(Services,",") | mvexpand Services_mv | eval Sp.{Services_mv}=Services_mv |fields - Services_mv |stats values(*) as * by a |fields - a</LI-CODE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2022-09-30 at 1.22.48 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21780i056EBFA2B1CDA1EC/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2022-09-30 at 1.22.48 PM.png" alt="Screenshot 2022-09-30 at 1.22.48 PM.png" /></span></P><P>&nbsp;</P><P>I hope this will help you.</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated. </P> Fri, 30 Sep 2022 07:53:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615321#M213841 kamlesh_vaghela 2022-09-30T07:53:05Z https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615323#M213842 <LI-CODE lang="markup">| eval service=split(Services,",") | streamstats count as _row | mvexpand service | eval {service}=service | stats values(*) as * by _row | fields - _row service</LI-CODE> Fri, 30 Sep 2022 07:59:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615323#M213842 ITWhisperer 2022-09-30T07:59:34Z https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615373#M213865 <P>Indeed, stats(*) as * by &lt;field_always_exist&gt; :-).</P> Fri, 30 Sep 2022 12:01:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-by-comma-and-use-values-as-field-names/m-p/615373#M213865 JykkeDaMan 2022-09-30T12:01:07Z