All Apps and Add-ons

search for converting the column to rows :

vikasreddy
Explorer

Need Help in converting the Columns to  single rows depending on the primary key column values .

 I have a  data show in below  with 3 columns 

DocID  | DocType        |  DocProperty

123       | soft Copy       |   xy

123       | Hard Copy     | zx

124       |   Softcopy      |xy

 I need result as shown below 

DocID  | DocType 1   | DocType 2  |  DocProperty1  | DocProperty1

123       | soft Copy     | Hard Copy   | xy                            | zx

124       |   Softcopy    |xy


 Note :I have tried  different ways but no luck all i am getting is 

DocID  | DocType 1   | DocType 2  |  DocProperty1  | DocProperty1

123       | soft Copy       | Empty cell  | xy                          | Emptycell

123       | Empty cell     | Hard Copy   | Emptycell           | zx

124       |   Softcopy    |xy

related records should be In one line without empty cell .


Thanks !

Labels (1)
0 Karma

to4kawa
Ultra Champion

sample:

| makeresults
| eval _raw="DocID,DocType,DocProperty
123,soft Copy,xy
123,Hard Copy,zx
124,Softcopy,xy"
| multikv forceheader=1
| table DocID,DocType,DocProperty
| rename COMMENT as "this is logic"
| untable DocID types values
| streamstats global=f count by DocID types
| eval types=types.count
| xyseries DocID types values
| table DocID DocType* DocProperty*

untable and xyseries are useful.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you're getting that far, then adding a stats command should get you the rest of the way.

... | stats values(*) as * by DocID
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...