https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209408#M61215 <P>I have a search that generates two fields -- host and application. Application is a multivalued field with varying numbers of results. Assume the field is comma delimited in the example below. It looks something like:</P> <P>host application<BR /><BR /> server1 splunk,apache,named<BR /><BR /> server2 apache,tomcat </P> <P>I would like to convert it into the following column format:</P> <P>host application1 application2 application3 application4...<BR /> server1 splunk apache named<BR /> server2 apache tomcat</P> <P>I know I can use eval and mvindex to manually create each column name and then transpose them, but without some kind of for loop, I would have to create a search with the eval statements up to the maximum mvindex value I expect to see. </P> <P>Is there any way to do this without having to manually create each new column name?</P> <P>Thx.</P> Fri, 19 Feb 2016 23:00:51 GMT responsys_cm 2016-02-19T23:00:51Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209408#M61215 <P>I have a search that generates two fields -- host and application. Application is a multivalued field with varying numbers of results. Assume the field is comma delimited in the example below. It looks something like:</P> <P>host application<BR /><BR /> server1 splunk,apache,named<BR /><BR /> server2 apache,tomcat </P> <P>I would like to convert it into the following column format:</P> <P>host application1 application2 application3 application4...<BR /> server1 splunk apache named<BR /> server2 apache tomcat</P> <P>I know I can use eval and mvindex to manually create each column name and then transpose them, but without some kind of for loop, I would have to create a search with the eval statements up to the maximum mvindex value I expect to see. </P> <P>Is there any way to do this without having to manually create each new column name?</P> <P>Thx.</P> Fri, 19 Feb 2016 23:00:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209408#M61215 responsys_cm 2016-02-19T23:00:51Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209409#M61216 <P>Try something like this </P> <PRE><CODE>your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?&lt;type&gt;\w+)#(?&lt;application&gt;.*)" | chart values(application) over host by type limit=0 </CODE></PRE> Fri, 19 Feb 2016 23:36:07 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209409#M61216 somesoni2 2016-02-19T23:36:07Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209410#M61217 <P>Let no one ever say you aren't a Splunk ninja. Thank you so much!</P> Fri, 19 Feb 2016 23:58:42 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209410#M61217 responsys_cm 2016-02-19T23:58:42Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209411#M61218 <P>Very powerful transaction. This should be a native command.</P> Thu, 19 Oct 2017 16:04:45 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/209411#M61218 _jgpm_ 2017-10-19T16:04:45Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/534388#M151006 <P>Awesome search!&nbsp; &nbsp; &nbsp;Thank you VERY much.&nbsp;</P> Tue, 29 Dec 2020 21:12:41 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-turn-a-multivalued-field-with-an-arbitrary/m-p/534388#M151006 pretzel2 2020-12-29T21:12:41Z