Hello,
I'm trying to get a very specific output format that can be fed into our ticketing system.
I have the following table in Splunk, top line is field names:
sender recipient subject
lolwut@domain.com bob@company.com example1
lolwut@domain.com alice@company.com example2
This can either be a table or a set of stats values() multivalue fields.
I need the final table to output to a CSV like this:
sender lolwut@domain.com
sender lolwut@domain.com
recipient bob@company.com
recipient alice@company.com
subject example1
subject example2
Give this a try
your current search giving fields sender recipient subject
| eval temp=1
| untable temp fieldName fieldValue
| fields - temp
Give this a try
your current search giving fields sender recipient subject
| eval temp=1
| untable temp fieldName fieldValue
| fields - temp
This worked for me, never heard of the untable command and the doc is a bit weak but this got what I needed. Thank you much!