https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671585#M230131 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;Below is SPL&nbsp; used,</P> <LI-CODE lang="markup">index="*****" host="sclp*" source="*****" "BOLT_ARIBA_ERROR_DETAILS:" "1-57d28402-9058-11ee-83b7-021a6f9d1f1c" "5bda7ec9" | rex "(?ms)BOLT_ARIBA_ERROR_DETAILS: (?&lt;details&gt;\[.*\])" | spath input=details output=ERROR_MESSAGE path={}.ERROR_MESSAGE | spath input=details output=PO_NUMBER path={}.PO_NUMBER | spath input=details output=MW_ERROR_CODE path={}.MW_ERROR_CODE | spath input=details output=INVOICE_ID path={}.INVOICE_ID | spath input=details output=MSG_GUID path={}.MSG_GUID | spath input=details output=INVOICE_NUMBER path={}.INVOICE_NUMBER | spath input=details output=UUID path={}.UUID | spath input=details output=DB_TIMESTAMP path={}.DB_TIMESTAMP | table ERROR_MESSAGE PO_NUMBER MW_ERROR_CODE INVOICE_ID MSG_GUID INVOICE_NUMBER UUID DB_TIMESTAMP</LI-CODE> Tue, 12 Dec 2023 15:06:09 GMT KundanNagare23 2023-12-12T15:06:09Z https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671578#M230129 <P>We got output in table but all values are in one column&nbsp; for each fields of output table. We want to split values in row. Below is the output table for reference. Please help to split it.&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tempsnip.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28463iF3A1EC4D53C7B16A/image-size/large?v=v2&amp;px=999" role="button" title="tempsnip.png" alt="tempsnip.png" /></span>&nbsp;</P> Tue, 12 Dec 2023 13:54:58 GMT https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671578#M230129 KundanNagare23 2023-12-12T13:54:58Z https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671584#M230130 <P>It's probably better to split the data before the table is created.&nbsp; Please share the current SPL.</P> Tue, 12 Dec 2023 14:19:24 GMT https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671584#M230130 richgalloway 2023-12-12T14:19:24Z https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671585#M230131 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;Below is SPL&nbsp; used,</P> <LI-CODE lang="markup">index="*****" host="sclp*" source="*****" "BOLT_ARIBA_ERROR_DETAILS:" "1-57d28402-9058-11ee-83b7-021a6f9d1f1c" "5bda7ec9" | rex "(?ms)BOLT_ARIBA_ERROR_DETAILS: (?&lt;details&gt;\[.*\])" | spath input=details output=ERROR_MESSAGE path={}.ERROR_MESSAGE | spath input=details output=PO_NUMBER path={}.PO_NUMBER | spath input=details output=MW_ERROR_CODE path={}.MW_ERROR_CODE | spath input=details output=INVOICE_ID path={}.INVOICE_ID | spath input=details output=MSG_GUID path={}.MSG_GUID | spath input=details output=INVOICE_NUMBER path={}.INVOICE_NUMBER | spath input=details output=UUID path={}.UUID | spath input=details output=DB_TIMESTAMP path={}.DB_TIMESTAMP | table ERROR_MESSAGE PO_NUMBER MW_ERROR_CODE INVOICE_ID MSG_GUID INVOICE_NUMBER UUID DB_TIMESTAMP</LI-CODE> Tue, 12 Dec 2023 15:06:09 GMT https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671585#M230131 KundanNagare23 2023-12-12T15:06:09Z https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671639#M230137 <P>That's not what I was expecting.&nbsp; I expected a <FONT face="courier new,courier">stats values</FONT> command that was globbing field values together.&nbsp;</P><P>Can you share a sample event?&nbsp; How many events are in the sample output?</P> Tue, 12 Dec 2023 19:52:57 GMT https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671639#M230137 richgalloway 2023-12-12T19:52:57Z https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671646#M230138 <P>If I am understanding your question correctly I usually parse out an array of json objects as a mutlivalued field first and then use an mvexpand against that MV field. After this you can SPATH each json_object individually so its contents will be on its own row.&nbsp;<BR /><BR />This will also prevent situation where there are some json objects whose key's may have null values and them not properly aligning in the final output.<BR /><BR />Here is an example:<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval event_id=sha256(tostring(random())), json_object="[{\"field1\": \"value_a\", \"field2\": \"value_b\", \"field3\": \"value_c\"},{\"field1\": \"value_x\", \"field2\": \"value_y\", \"field3\": \"value_z\"},{\"field1\": \"value_q\", \"field2\": \"value_r\", \"field3\": \"value_s\"},{\"field1\": \"value_a\", \"field2\": \"value_r\", \"field3\": \"value_c\", \"field4\": \"value_w\"},{\"field2\": \"value_a\", \"field3\": \"value_b\", \"field4\": \"value_s\"}]" | eval mv_json_object=spath(json_object, "{}") | fields - json_object | mvexpand mv_json_object | spath input=mv_json_object | fields - mv_json_object</LI-CODE> Tue, 12 Dec 2023 23:06:25 GMT https://community.splunk.com/t5/Splunk-Search/Split-values-from-each-fields-from-output-table/m-p/671646#M230138 dtburrows3 2023-12-12T23:06:25Z