Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to break multiple values of a column into a new column name

kdoma
Explorer
‎09-26-2016 08:39 AM

How to break multiple values of a column into new column name?

Swipe_Entry_Type
In
In
In
Out
Out
Out

Swipe_Entry_Type_In
In
In
In

Swipe_Entry_Type_Out
Out
Out
Out

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎09-26-2016 09:40 AM

Try like this

your current search giving fields Swipe_Entry_Type,Swipe_Time,Department,Student,Name 
| eval Swipe_Entry_In=if(Swipe_Entry_Type="In",Swipe_Entry_Type,null()) 
| eval Swipe_Entry_Out=if(Swipe_Entry_Type="Out",Swipe_Entry_Type,null()) 
| stats values(Swipe_Entry_In) as Swipe_Entry_In values(Swipe_Entry_Out) as Swipe_Entry_Out by Department,Student,Name
| table Name Swipe_Entry_In Swipe_Entry_Out Department Student
0 Karma
Reply

kdoma
Explorer
‎09-26-2016 09:53 AM

I want to convert Swipe_Time into Swipe_Time_In and Swipe_Time_Out based on the values

Swipe_Entry_Type,Swipe_Time,Department,Student,Name
In,2015-07-28 09:00:01 AM,CSE,CB049201,Sumanth
In,2015-07-28 09:00:01 AM,CSE,CB049202,Ramya
Out,2015-07-28 05:08:01 PM,CSE,CB049201,Sumanth
Out,2015-07-28 05:08:01 PM,CSE,CB049202,Ramya

if it is AM then new column as Swipe_Time_In and if it is PM then new column as Swipe_Time_Out

0 Karma
Reply

sundareshr
Legend
‎09-26-2016 08:49 AM

Try this

base search | mvexpand Swipe_Entry_Type | stats values(eval(Swipe_Entry_Type="In")) as Swipe_Entry_Type_In values(eval(Swipe_Entry_Type="Out")) as Swipe_Entry_Type_Out | table Swipe_Entry_Type_In Swipe_Entry_Type_Out
0 Karma
Reply

somesoni2
Revered Legend
‎09-26-2016 08:49 AM

Is Swipe_Entry_Type a multivalued field OR regular fields (single value per row). Share the query which is getting you this.

0 Karma
Reply

kdoma
Explorer
‎09-26-2016 09:02 AM

My Input:

Swipe_Entry_Type,Swipe_Time,Department,Student,Name
In,2015-07-28 09:00:01 AM,CSE,CB049201,Sumanth
In,2015-07-28 09:00:01 AM,CSE,CB049202,Ramya
Out,2015-07-28 05:08:01 PM,CSE,CB049201,Sumanth
Out,2015-07-28 05:08:01 PM,CSE,CB049202,Ramya

output should be
Name Swipe_Entry_In Swipe_Entry_Out Time_Entry_In Time_entry_Out Department Student
Sumanth In Out Time Tine CSE CB049201

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...