Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to split values that appear in one row?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
05:07 AM
I have search querrie created from json file. Problem is values that i have appear in one row, instead of 3 rows(in json file we have three ids with number and status). Thanks in advance!!
alt text
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
05:39 AM
Hi
Try this
| makeresults
| eval id="02,03,01"
| makemv delim="," id
| appendcols
[| makeresults
| eval Number="30,20,40"
| makemv delim="," Number]
| appendcols
[| makeresults
| eval Status="In progress,In Progress,To Do"
| makemv delim="," Status]
| fields - _time
| eval temp=mvzip(mvzip(id,Number),Status)
| fields temp
| mvexpand temp
| eval temp_value=split(temp,",")
| eval id=mvindex(temp_value,0), Number=mvindex(temp_value,1), Status=mvindex(temp_value,2)
| table id Number Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
05:39 AM
Hi
Try this
| makeresults
| eval id="02,03,01"
| makemv delim="," id
| appendcols
[| makeresults
| eval Number="30,20,40"
| makemv delim="," Number]
| appendcols
[| makeresults
| eval Status="In progress,In Progress,To Do"
| makemv delim="," Status]
| fields - _time
| eval temp=mvzip(mvzip(id,Number),Status)
| fields temp
| mvexpand temp
| eval temp_value=split(temp,",")
| eval id=mvindex(temp_value,0), Number=mvindex(temp_value,1), Status=mvindex(temp_value,2)
| table id Number Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:05 AM
Thanks. This looks great! But it should be done without given values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
06:21 AM
Hi
Try this
source="jsonfile"
| rename customfield_1 AS id, customfield_2 AS Status, customfield_3 AS Number
| eval data=mvzip(mvzip(id,Number),Status)
| mvexpand data
| makemv data delim=","
| eval id=mvindex(data,0),Number=mvindex(data,1), Status=mvindex(data,2)
| fields - data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:29 AM
This is great!!They are separated now with their values. Is it possible to make a table only from those three: id, number and label. because a result returns also other fields. could you help me with that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
06:42 AM
You can use table command with the required column at the end
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:48 AM
Great! Thank You very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-12-2020
06:52 AM
Please accept the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-12-2020
05:36 AM
use mvzip to three fields. and mvexpand and re-extract them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:06 AM
Can you show me on example querry
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-12-2020
06:09 AM
what's your query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikoniasavina
Explorer
05-12-2020
06:13 AM
yes.
source="jsonfile" |rename customfield_1 AS id, customfield_2 AS Status, customfield_3 AS Number | eval data=mvzip(id,Number,Status)| mvexpand data| makemv data delim=","| eval id=mvindex(data,0),Number=mvindex(data,1), Status=mvindex(data,2)| fields - data
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open.
If ...
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
