Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to split values that appear in one row?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
05:07 AM
I have search querrie created from json file. Problem is values that i have appear in one row, instead of 3 rows(in json file we have three ids with number and status). Thanks in advance!!
alt text
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
05:39 AM
Hi
Try this
| makeresults
| eval id="02,03,01"
| makemv delim="," id
| appendcols
[| makeresults
| eval Number="30,20,40"
| makemv delim="," Number]
| appendcols
[| makeresults
| eval Status="In progress,In Progress,To Do"
| makemv delim="," Status]
| fields - _time
| eval temp=mvzip(mvzip(id,Number),Status)
| fields temp
| mvexpand temp
| eval temp_value=split(temp,",")
| eval id=mvindex(temp_value,0), Number=mvindex(temp_value,1), Status=mvindex(temp_value,2)
| table id Number Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
05:39 AM
Hi
Try this
| makeresults
| eval id="02,03,01"
| makemv delim="," id
| appendcols
[| makeresults
| eval Number="30,20,40"
| makemv delim="," Number]
| appendcols
[| makeresults
| eval Status="In progress,In Progress,To Do"
| makemv delim="," Status]
| fields - _time
| eval temp=mvzip(mvzip(id,Number),Status)
| fields temp
| mvexpand temp
| eval temp_value=split(temp,",")
| eval id=mvindex(temp_value,0), Number=mvindex(temp_value,1), Status=mvindex(temp_value,2)
| table id Number Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:05 AM
Thanks. This looks great! But it should be done without given values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
06:21 AM
Hi
Try this
source="jsonfile"
| rename customfield_1 AS id, customfield_2 AS Status, customfield_3 AS Number
| eval data=mvzip(mvzip(id,Number),Status)
| mvexpand data
| makemv data delim=","
| eval id=mvindex(data,0),Number=mvindex(data,1), Status=mvindex(data,2)
| fields - data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:29 AM
This is great!!They are separated now with their values. Is it possible to make a table only from those three: id, number and label. because a result returns also other fields. could you help me with that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
06:42 AM
You can use table command with the required column at the end
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:48 AM
Great! Thank You very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
06:52 AM
Please accept the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-12-2020
05:36 AM
use mvzip to three fields. and mvexpand and re-extract them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:06 AM
Can you show me on example querry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-12-2020
06:09 AM
what's your query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:13 AM
yes.
source="jsonfile" |rename customfield_1 AS id, customfield_2 AS Status, customfield_3 AS Number | eval data=mvzip(id,Number,Status)| mvexpand data| makemv data delim=","| eval id=mvindex(data,0),Number=mvindex(data,1), Status=mvindex(data,2)| fields - data
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
