https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172219#M49343 <P>How to change event field values into field name?</P> <P>Event log sample1:<BR /> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<BR /> id, code, message<BR /> 1, 1111, "one"<BR /> 3, 12345, "three"</P> <P>Event log sample2:<BR /> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`<BR /> id, keyname, keyvalue<BR /> 1, name , john<BR /> 1, place, richmond<BR /> 1, activity, login<BR /> 1, environment, mobile<BR /> 2, name , bob<BR /> 2, lastname, bill<BR /> 3, name, charle<BR /> 3, location, newyork<BR /> 3, activity, transaction<BR /> 4 name, Danny<BR /> 4 lastname, Huber<BR /> 5, name, eugene</P> <P>Both event have common field called "id". I will join both data searches using join command.<BR /> e.g: index=abc code=111 | join id [search index=blah ]</P> <P>But my requirement is, for the above search when the code is 111, i need get the table in following format<BR /> id, code, message, name, place, activity, environment<BR /> 1 , 1111, "one", john, richmond, login, mobile</P> <P>Please note that, the values of keyname and keyvalue are become field-name and its values respectively. Please let me know how to do this?</P> Wed, 06 Aug 2014 02:31:57 GMT splunk_worker 2014-08-06T02:31:57Z https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172219#M49343 <P>How to change event field values into field name?</P> <P>Event log sample1:<BR /> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<BR /> id, code, message<BR /> 1, 1111, "one"<BR /> 3, 12345, "three"</P> <P>Event log sample2:<BR /> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`<BR /> id, keyname, keyvalue<BR /> 1, name , john<BR /> 1, place, richmond<BR /> 1, activity, login<BR /> 1, environment, mobile<BR /> 2, name , bob<BR /> 2, lastname, bill<BR /> 3, name, charle<BR /> 3, location, newyork<BR /> 3, activity, transaction<BR /> 4 name, Danny<BR /> 4 lastname, Huber<BR /> 5, name, eugene</P> <P>Both event have common field called "id". I will join both data searches using join command.<BR /> e.g: index=abc code=111 | join id [search index=blah ]</P> <P>But my requirement is, for the above search when the code is 111, i need get the table in following format<BR /> id, code, message, name, place, activity, environment<BR /> 1 , 1111, "one", john, richmond, login, mobile</P> <P>Please note that, the values of keyname and keyvalue are become field-name and its values respectively. Please let me know how to do this?</P> Wed, 06 Aug 2014 02:31:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172219#M49343 splunk_worker 2014-08-06T02:31:57Z https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172220#M49344 <P>Try this</P> <PRE><CODE> index=abc code=1111 | join id[search index=blah | chart first(keyvalue) by id keyname] </CODE></PRE> Wed, 06 Aug 2014 07:32:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172220#M49344 strive 2014-08-06T07:32:02Z https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172221#M49345 <P>Thanks for ur response.</P> <P>The above searching is putting keyname parameter values as column variables (this 100% fine). But the value from keyvalue is displayed only for one column variable ( created from keyname) per id.</P> Wed, 06 Aug 2014 12:57:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172221#M49345 splunk_worker 2014-08-06T12:57:18Z https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172222#M49346 <P>In your question, you said you need it for code 1111. Take out the condition code=1111 and execute the search.</P> Wed, 06 Aug 2014 14:29:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172222#M49346 strive 2014-08-06T14:29:42Z https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172223#M49347 <P>Try this</P> <PRE><CODE>index=abc code=1111 | join id [search index=blah | xyseries id keyname keyvalue] </CODE></PRE> <P>OR </P> <PRE><CODE>index=abc code=1111 | join id [search index=blah | chart first(keyvalue) over id by keyname] </CODE></PRE> Wed, 06 Aug 2014 15:26:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-data-and-extract-field-values-as-field-names/m-p/172223#M49347 somesoni2 2014-08-06T15:26:57Z