https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154898#M43565 <P>Can you add a sample of your input data and what the output should look like so that we get a better idea what you are trying to achieve.</P> Wed, 18 Feb 2015 23:08:25 GMT ramdaspr 2015-02-18T23:08:25Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154897#M43564 <P>Hi,</P> <P>I'm a bit unsure how to go about this, but essentially I'd like to create a new field for each value contained in an existing field.</P> <P>I have a field that we'll call <EM>name</EM> containing several hundred entries. I'd like to create a new value for each field in <EM>name</EM> containing the count of all entries associated with that name. </P> <P>In pseudo-code, I imagine it working something like this:<BR /> <CODE>stats count(eval(name=n)) as "n"</CODE> creating a new <EM>n</EM> for every value contained in <EM>name</EM>.</P> <P>Is this possible?</P> <P>Can I loop a statement, populating <EM>n</EM> with a new value each time?</P> Wed, 18 Feb 2015 21:42:57 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154897#M43564 mrfredman 2015-02-18T21:42:57Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154898#M43565 <P>Can you add a sample of your input data and what the output should look like so that we get a better idea what you are trying to achieve.</P> Wed, 18 Feb 2015 23:08:25 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154898#M43565 ramdaspr 2015-02-18T23:08:25Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154899#M43566 <P>I can't go into too much detail, but I'll do my best.</P> <P>My input contains 3 columns: id, name, and created date. </P> <P>The output I'm looking for is: a row for each month of the year, with a column name, and a count of ids per name/month.</P> <P>Sort of like this:</P> <PRE><CODE> Name Name2 Name3 Jan-14 1 0 3 Feb-14 2 4 4 Mar-14 0 0 1 </CODE></PRE> <P>(I've got all the time conversion and sorting figured out, I'm just having trouble sorting by both month and name (I can easily do one or the other but not both) so I figured if each name had a field I could just count those fields by month)</P> Wed, 18 Feb 2015 23:29:59 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154899#M43566 mrfredman 2015-02-18T23:29:59Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154900#M43567 <PRE><CODE>.. | stats count(name) by date, name | transpose </CODE></PRE> Wed, 18 Feb 2015 23:42:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154900#M43567 ramdaspr 2015-02-18T23:42:53Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154901#M43568 <P>While that almost works, the end goal (which I haven't yet mentioned, apologies) is to chart this data in a line graph with a line for each name. </P> <P>As far as I can tell, I can't do this unless I'm able to break out each name into it's own field and ensure there is only 1 row per date.</P> Wed, 18 Feb 2015 23:48:21 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154901#M43568 mrfredman 2015-02-18T23:48:21Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154902#M43569 <P>chart count over Name by month?</P> Thu, 19 Feb 2015 01:37:57 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154902#M43569 Raghav2384 2015-02-19T01:37:57Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154903#M43570 <PRE><CODE>chart count(name) over date by name </CODE></PRE> <P>should give a line graph with lines for names and count as Y Axis and Date as the X-axis</P> Thu, 19 Feb 2015 02:17:36 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154903#M43570 ramdaspr 2015-02-19T02:17:36Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154904#M43571 <P>That did the trick. Thanks!</P> <P>This creates a new problem were all but the top 11 names get lumped into an Other category, but this certainly answers my initial question. </P> Thu, 19 Feb 2015 21:46:15 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154904#M43571 mrfredman 2015-02-19T21:46:15Z https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154905#M43572 <PRE><CODE> chart count(name) over date by name useother=f </CODE></PRE> <P>to force all series to be shown.</P> Thu, 19 Feb 2015 22:25:21 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-create-a-new-field-for-each-value-contained-in-an-existing/m-p/154905#M43572 ramdaspr 2015-02-19T22:25:21Z