Getting Data In

How to split values that appear in one row?

ikoniasavina
Explorer

I have search querrie created from json file. Problem is values that i have appear in one row, instead of 3 rows(in json file we have three ids with number and status). Thanks in advance!!
alt text

0 Karma
1 Solution

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval id="02,03,01" 
| makemv delim="," id 
| appendcols 
    [| makeresults 
    | eval Number="30,20,40" 
    | makemv delim="," Number] 
| appendcols 
    [| makeresults 
    | eval Status="In progress,In Progress,To Do" 
    | makemv delim="," Status] 
| fields - _time 
| eval temp=mvzip(mvzip(id,Number),Status) 
| fields temp 
| mvexpand temp 
| eval temp_value=split(temp,",") 
| eval id=mvindex(temp_value,0), Number=mvindex(temp_value,1), Status=mvindex(temp_value,2) 
| table id Number Status

View solution in original post

vnravikumar
Champion

Hi

Try this

| makeresults 
| eval id="02,03,01" 
| makemv delim="," id 
| appendcols 
    [| makeresults 
    | eval Number="30,20,40" 
    | makemv delim="," Number] 
| appendcols 
    [| makeresults 
    | eval Status="In progress,In Progress,To Do" 
    | makemv delim="," Status] 
| fields - _time 
| eval temp=mvzip(mvzip(id,Number),Status) 
| fields temp 
| mvexpand temp 
| eval temp_value=split(temp,",") 
| eval id=mvindex(temp_value,0), Number=mvindex(temp_value,1), Status=mvindex(temp_value,2) 
| table id Number Status

ikoniasavina
Explorer

Thanks. This looks great! But it should be done without given values.

0 Karma

vnravikumar
Champion

Hi

Try this

source="jsonfile" 
| rename customfield_1 AS id, customfield_2 AS Status, customfield_3 AS Number 
| eval data=mvzip(mvzip(id,Number),Status) 
| mvexpand data 
| makemv data delim="," 
| eval id=mvindex(data,0),Number=mvindex(data,1), Status=mvindex(data,2) 
| fields - data

ikoniasavina
Explorer

This is great!!They are separated now with their values. Is it possible to make a table only from those three: id, number and label. because a result returns also other fields. could you help me with that?

0 Karma

vnravikumar
Champion

You can use table command with the required column at the end

ikoniasavina
Explorer

Great! Thank You very much!

0 Karma

vnravikumar
Champion

Please accept the answer.

0 Karma

to4kawa
Ultra Champion

use mvzip to three fields. and mvexpand and re-extract them.

0 Karma

ikoniasavina
Explorer

Can you show me on example querry

0 Karma

to4kawa
Ultra Champion

what's your query?

0 Karma

ikoniasavina
Explorer

yes.
source="jsonfile" |rename customfield_1 AS id, customfield_2 AS Status, customfield_3 AS Number | eval data=mvzip(id,Number,Status)| mvexpand data| makemv data delim=","| eval id=mvindex(data,0),Number=mvindex(data,1), Status=mvindex(data,2)| fields - data

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...