Solved: Split MV into new table rows

ereed18 · ‎01-31-2017

I have rows where data looks like..

Value1^Value2^Value3
Value4^Value5
Value6
Value7^Value8

My query (below)...
search here | eval temp=split(FieldA,"^") | table temp

Makes the following..
1.Value1
Value2
Value3
2.Value4
Value5
3.....

I need each value to be on a separate row. Additionally, I need the count of each time the row is returned in the event. Currently when I add "| stats count by FieldA as hits" no data is returned.

Please help!

somesoni2 · ‎01-31-2017

To see every field value in separate row

search here | eval temp=split(FieldA,"^") | table temp | mvexpand temp

To get the count

search here | eval temp=split(FieldA,"^") | table temp | stats count as hits by temp

View solution in original post

somesoni2 · ‎01-31-2017

To see every field value in separate row

search here | eval temp=split(FieldA,"^") | table temp | mvexpand temp

To get the count

search here | eval temp=split(FieldA,"^") | table temp | stats count as hits by temp

ereed18 · ‎02-01-2017

I had to move "mvexpand" in front of "table", but that works. Additionally, count had to go to the end when I was trying to count, table the field and count then expand the rows. I think my order might have caused my issues. Thanks!

Split MV into new table rows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation