Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: splitting many rows in columns
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fabrizioalleva
Path Finder
05-08-2019
06:51 AM
Hello,
I need to transform this table:
Fruits Euro
Apples 2
Banana 1
Strawberry 3
Ananas 3
Blueberry 4
Pear 2
into :
Fruits Euro Fruits Euro
apples 2 Banana 1
Strawb 3 Ananas 3
Bluebe 4 Pear 2
Is there a way ?
Thanks Fabrizio
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
05-08-2019
07:57 AM
You cannot have the same field name in a table have multiple columns when making a table in Splunk. You would need to do a hack to get it to work by appending a space to the name so it appears to be the same but is actually different:
| makeresults count=1
| fields - _time
| eval data="Apples 2
Banana 1
Strawberry 3
Ananas 3
Blueberry 4
Pear 2"
| rex field=data max_match=0 "(?<data>[^\n\e]+)"
| eval data=trim(data)
| mvexpand data
| rex field=data "(?<Fruits>[^\s]+) (?<Euro>\d+)"
| table Fruits Euro
| streamstats reset_after="count=2" count
| streamstats values(Fruits) as joiner window=1 current=f
| eval "Fruits "=if(count=2, Fruits, null())
| eval "Euro "=if(count=2, Euro, null())
| eval joiner=if(count=1, Fruits, joiner)
| eval Fruits=if(count=1, Fruits, null())
| eval Euro=if(count=1, Euro, null())
| stats values(Fruits) as Fruits values(Euro) as Euro values("Fruits ") as "Fruits " values("Euro ") as "Euro " by joiner
| fields - joiner
If this comment/answer was helpful, please up vote it. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-08-2019
09:05 AM
@fabrizioalleva what is the criteria for moving rows to column?
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fabrizioalleva
Path Finder
05-09-2019
12:30 AM
@niketnilay : I have to order a small table with 12 lines, dividing them, for reasons of space in the dashboard, 6 in the first two columns and 6 in the second
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
05-08-2019
07:57 AM
You cannot have the same field name in a table have multiple columns when making a table in Splunk. You would need to do a hack to get it to work by appending a space to the name so it appears to be the same but is actually different:
| makeresults count=1
| fields - _time
| eval data="Apples 2
Banana 1
Strawberry 3
Ananas 3
Blueberry 4
Pear 2"
| rex field=data max_match=0 "(?<data>[^\n\e]+)"
| eval data=trim(data)
| mvexpand data
| rex field=data "(?<Fruits>[^\s]+) (?<Euro>\d+)"
| table Fruits Euro
| streamstats reset_after="count=2" count
| streamstats values(Fruits) as joiner window=1 current=f
| eval "Fruits "=if(count=2, Fruits, null())
| eval "Euro "=if(count=2, Euro, null())
| eval joiner=if(count=1, Fruits, joiner)
| eval Fruits=if(count=1, Fruits, null())
| eval Euro=if(count=1, Euro, null())
| stats values(Fruits) as Fruits values(Euro) as Euro values("Fruits ") as "Fruits " values("Euro ") as "Euro " by joiner
| fields - joiner
If this comment/answer was helpful, please up vote it. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fabrizioalleva
Path Finder
05-09-2019
12:36 AM
PERFECT!!!!! I've to adjust it for my data!!
Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dmarling
Builder
05-09-2019
03:42 AM
Glad it worked for you. I'm converting my comment to an answer. If you could please accept it once it updates, I would appreciate it. Thank you!
If this comment/answer was helpful, please up vote it. Thank you.
Get Updates on the Splunk Community!
Index This | What did the zero say to the eight?
June 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...
This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
