https://community.splunk.com/t5/Splunk-Search/How-to-create-new-columns-from-results/m-p/622126#M216249 <P class="">I'm trying to create table with the top 5 results split into columns, so that I can have multiple results per line, grouped by date. Here's what I have:</P> <P class="">|union<BR />[search index=Firewall BlockFromBadActor| top src_ip by Date limit=5 | rename count as IPCount]<BR />[search index=Firewall BlockFromBadActor| top dest_port by Date limit=5 | rename count as PortCount]<BR />| stats values(*) as * by Date<BR />| fields Date,src_ip,IPCount,dest_port,PortCount</P> <P>Date src_ip IPCount dest_port PortCount</P> <TABLE width="337px"> <TBODY> <TR> <TD width="103px">2022/11/25</TD> <TD width="59px"><A class="" href="https://1.1.1.1/" target="_blank" rel="noopener nofollow ugc">1.1.1.1</A><BR /><A class="" href="https://2.2.2.2/" target="_blank" rel="noopener nofollow ugc">2.2.2.2</A><BR /><A class="" href="https://3.3.3.3/" target="_blank" rel="noopener nofollow ugc">3.3.3.3</A><BR /><A class="" href="https://4.4.4.4/" target="_blank" rel="noopener nofollow ugc">4.4.4.4</A><BR />5.5.5.5</TD> <TD width="51px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> <TD width="61px">1<BR />2<BR />3<BR />4<BR />5</TD> <TD width="63px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> </TR> <TR> <TD width="103px">2022/11/24</TD> <TD width="59px"><A class="" href="https://1.1.1.1/" target="_blank" rel="noopener nofollow ugc">1.1.1.1</A><BR /><A class="" href="https://2.2.2.2/" target="_blank" rel="noopener nofollow ugc">2.2.2.2</A><BR /><A class="" href="https://3.3.3.3/" target="_blank" rel="noopener nofollow ugc">3.3.3.3</A><BR /><A class="" href="https://4.4.4.4/" target="_blank" rel="noopener nofollow ugc">4.4.4.4</A><BR />5.5.5.5</TD> <TD width="51px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> <TD width="61px">1<BR />2<BR />3<BR />4<BR />5</TD> <TD width="63px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> </TR> </TBODY> </TABLE> <P class="">&nbsp;</P> <P class="">What I'm trying to get</P> <P>Date IP 1 IP1 Count IP 2 IP 2 Count Port 1 Port 1 Count Port 2 Port 2 Count</P> <TABLE> <TBODY> <TR> <TD>2022/11/25</TD> <TD>1.1.1.1</TD> <TD>5000</TD> <TD>2.2.2.2</TD> <TD>4000</TD> <TD>1</TD> <TD>5000</TD> <TD>2</TD> <TD>4000</TD> </TR> <TR> <TD>2022/11/24</TD> <TD>1.1.1.1</TD> <TD>5000</TD> <TD>2.2.2.2</TD> <TD>4000</TD> <TD>1</TD> <TD>5000</TD> <TD>2</TD> <TD>4000</TD> </TR> </TBODY> </TABLE> <P class="">I cannot seem to find any way to make the individual query results into new columns.</P> Sun, 27 Nov 2022 16:06:08 GMT CyberMage 2022-11-27T16:06:08Z https://community.splunk.com/t5/Splunk-Search/How-to-create-new-columns-from-results/m-p/622126#M216249 <P class="">I'm trying to create table with the top 5 results split into columns, so that I can have multiple results per line, grouped by date. Here's what I have:</P> <P class="">|union<BR />[search index=Firewall BlockFromBadActor| top src_ip by Date limit=5 | rename count as IPCount]<BR />[search index=Firewall BlockFromBadActor| top dest_port by Date limit=5 | rename count as PortCount]<BR />| stats values(*) as * by Date<BR />| fields Date,src_ip,IPCount,dest_port,PortCount</P> <P>Date src_ip IPCount dest_port PortCount</P> <TABLE width="337px"> <TBODY> <TR> <TD width="103px">2022/11/25</TD> <TD width="59px"><A class="" href="https://1.1.1.1/" target="_blank" rel="noopener nofollow ugc">1.1.1.1</A><BR /><A class="" href="https://2.2.2.2/" target="_blank" rel="noopener nofollow ugc">2.2.2.2</A><BR /><A class="" href="https://3.3.3.3/" target="_blank" rel="noopener nofollow ugc">3.3.3.3</A><BR /><A class="" href="https://4.4.4.4/" target="_blank" rel="noopener nofollow ugc">4.4.4.4</A><BR />5.5.5.5</TD> <TD width="51px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> <TD width="61px">1<BR />2<BR />3<BR />4<BR />5</TD> <TD width="63px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> </TR> <TR> <TD width="103px">2022/11/24</TD> <TD width="59px"><A class="" href="https://1.1.1.1/" target="_blank" rel="noopener nofollow ugc">1.1.1.1</A><BR /><A class="" href="https://2.2.2.2/" target="_blank" rel="noopener nofollow ugc">2.2.2.2</A><BR /><A class="" href="https://3.3.3.3/" target="_blank" rel="noopener nofollow ugc">3.3.3.3</A><BR /><A class="" href="https://4.4.4.4/" target="_blank" rel="noopener nofollow ugc">4.4.4.4</A><BR />5.5.5.5</TD> <TD width="51px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> <TD width="61px">1<BR />2<BR />3<BR />4<BR />5</TD> <TD width="63px">5000<BR />4000<BR />3000<BR />2000<BR />1000</TD> </TR> </TBODY> </TABLE> <P class="">&nbsp;</P> <P class="">What I'm trying to get</P> <P>Date IP 1 IP1 Count IP 2 IP 2 Count Port 1 Port 1 Count Port 2 Port 2 Count</P> <TABLE> <TBODY> <TR> <TD>2022/11/25</TD> <TD>1.1.1.1</TD> <TD>5000</TD> <TD>2.2.2.2</TD> <TD>4000</TD> <TD>1</TD> <TD>5000</TD> <TD>2</TD> <TD>4000</TD> </TR> <TR> <TD>2022/11/24</TD> <TD>1.1.1.1</TD> <TD>5000</TD> <TD>2.2.2.2</TD> <TD>4000</TD> <TD>1</TD> <TD>5000</TD> <TD>2</TD> <TD>4000</TD> </TR> </TBODY> </TABLE> <P class="">I cannot seem to find any way to make the individual query results into new columns.</P> Sun, 27 Nov 2022 16:06:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-new-columns-from-results/m-p/622126#M216249 CyberMage 2022-11-27T16:06:08Z https://community.splunk.com/t5/Splunk-Search/How-to-create-new-columns-from-results/m-p/622127#M216250 <P>mvindex is the answer.&nbsp;<BR /><BR />|union<BR /><SPAN>[search index=Firewall BlockFromBadActor</SPAN> | top src_ip by Date limit=5 | rename count as "IPCount"]<BR /><SPAN>[search index=Firewall BlockFromBadActor&nbsp;</SPAN>| top dest_port by Date limit=10 | rename count as "PortCount"]<BR />| stats values(*) as * by Date<BR />| eval "IP #1" = mvindex(src_ip,0)<BR />| eval "IP #2" = mvindex(src_ip,1)<BR />| eval "IP #3" = mvindex(src_ip,2)<BR />| eval "IP #4" = mvindex(src_ip,3)<BR />| eval "IP #5" = mvindex(src_ip,4)<BR />| eval "Count for IP #1" = mvindex(IPCount,0)<BR />| eval "Count for IP #2" = mvindex(IPCount,1)<BR />| eval "Count for IP #3" = mvindex(IPCount,2)<BR />| eval "Count for IP #4" = mvindex(IPCount,3)<BR />| eval "Count for IP #5" = mvindex(IPCount,4)<BR />| eval "Port #1" = mvindex(dest_port,0)<BR />| eval "Port #2" = mvindex(dest_port,1)<BR />| eval "Port #3" = mvindex(dest_port,2)<BR />| eval "Port #4" = mvindex(dest_port,3)<BR />| eval "Port #5" = mvindex(dest_port,4)<BR />| eval "Port #6" = mvindex(dest_port,5)<BR />| eval "Port #7" = mvindex(dest_port,6)<BR />| eval "Port #8" = mvindex(dest_port,7)<BR />| eval "Port #9" = mvindex(dest_port,8)<BR />| eval "Port #10" = mvindex(dest_port,9)<BR />| eval "Count for Port #1" = mvindex(PortCount,0)<BR />| eval "Count for Port #2" = mvindex(PortCount,1)<BR />| eval "Count for Port #3" = mvindex(PortCount,2)<BR />| eval "Count for Port #4" = mvindex(PortCount,3)<BR />| eval "Count for Port #5" = mvindex(PortCount,4)<BR />| eval "Count for Port #6" = mvindex(PortCount,5)<BR />| eval "Count for Port #7" = mvindex(PortCount,6)<BR />| eval "Count for Port #8" = mvindex(PortCount,7)<BR />| eval "Count for Port #9" = mvindex(PortCount,8)<BR />| eval "Count for Port #10" = mvindex(PortCount,9)<BR />| fields Date,"IP #1","Count for IP #1","IP #2","Count for IP #2","IP #3","Count for IP #3","IP #4","Count for IP #4","IP #5","Count for IP #5","Port #1","Count for Port #1","Port #2","Count for Port #2","Port #3","Count for Port #3","Port #4","Count for Port #4","Port #5","Count for Port #5","Port #6","Count for Port #6","Port #7","Count for Port #7","Port #8","Count for Port #8","Port #9","Count for Port #9","Port #10","Count for Port #10"</P> Fri, 25 Nov 2022 21:04:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-new-columns-from-results/m-p/622127#M216250 CyberMage 2022-11-25T21:04:52Z