Convert single row values to multiple rows

srinathd · ‎10-30-2014

Hi Srinath,

Srinath     USER1   IND0010001
              USER2     IND0010002
              USER3     IND0010003

how to convert above single row values to seperate rows like below

Srinath USER1 IND0010001

Srinath USER2 IND0010002

Srinath USER3 IND0010003

Thanks,
Srinath

somesoni2 · ‎10-30-2014

Try this

index=test sourcetype=testuser | makemv delim="xFD" APPLICATION | makemv delim="xFD" COMPANY | makemv delim="xFD" FUNCTION | stats list(APPLICATION) as application, list(COMPANY_RESTR) as company, list(FUNCTION) as function by USER_NAME | eval temp=mvzip(mvzip(application,company,"#"),function,"#") | mvexpand temp | rex field=temp "(?<application>.*)#(?<company>.*)#(?<function>.*)" | fields - temp

crepantherx · ‎05-15-2021

I also need to do this..... would you please explain me the code I didn't understood.

What is APPLICATION, FUNCTION... and USER_NAME here ? and how does it works

srinathd · ‎10-30-2014

It is fetching the first record for each user if any of the field which is used in the mvzip is null otherwise it is fetching all the records. It is working well if all the values present.

srinathd · ‎10-30-2014

Thanks a lot.. it is working well

lguinn2 · ‎10-30-2014

How did you get the results that you are showing? What was the original search string? What does the data look like? Without this information, I don't think the community can help much.

srinathd · ‎10-30-2014

This is the search quiery

index=test sourcetype=testuser | makemv delim="\xFD" APPLICATION | makemv delim="\xFD" COMPANY | makemv delim="\xFD" FUNCTION | stats list(APPLICATION) as application, list(COMPANY_RESTR) as company, list(FUNCTION) as function by USER_NAME

Convert single row values to multiple rows

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!