Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pivot certain fields in a set of logs?

bschaap
Path Finder
‎05-15-2018 09:51 AM

I need to pivot only certain fields in a set of logs. Sample data below. Can you tell me how to go about doing this?

**Sample Data**
_time           Id  Server  DetailId    Name    Value
5/15/18 11:00   1   Server1 1           Name1   Value1
5/15/18 11:00   1   Server1 2           Name2   Value2
5/15/18 11:00   1   Server1 3           Name3   Value3
5/15/18 11:01   2   Server1 4           Name1   Value4
5/15/18 11:01   2   Server1 5           Name2   Value5
5/15/18 11:01   2   Server1 6           Name3   Value6

**Desired Results**
_time           Id  Server  Name1   Name2   Name3
5/15/18 11:00   1   Server1 Value1  Value2  Value3
5/15/18 11:01   2   Server1 Value4  Value5  Value6
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-15-2018 10:05 AM

@bschaap, based on the sample data provided try the following run anywhere search.
PS: query from |makeresults till | fields - data generate dummy data as per the question.

| makeresults
| eval data="5/15/18 11:00,1,Server1,1,Name1,Value1;5/15/18 11:00,1,Server1,2,Name2,Value2;5/15/18 11:00,1,Server1,3,Name3,Value3;5/15/18 11:01,2,Server1,4,Name1,Value4;5/15/18 11:01,2,Server1,5,Name2,Value5;5/15/18 11:01,2,Server1,6,Name3,Value6"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval _time=mvindex(data,0),Id=mvindex(data,1),Server=mvindex(data,2),DetailId=mvindex(data,3),Name=mvindex(data,4),Value=mvindex(data,5)
| fields - data
| eval key= _time."-".Id."-".Server
| chart values(Value) by key Name
| makemv key delim="-"
| eval _time=mvindex(key,0), Id=mvindex(key,1), Server=mvindex(key,2)
| table _time Id Server Name*
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-15-2018 10:05 AM

@bschaap, based on the sample data provided try the following run anywhere search.
PS: query from |makeresults till | fields - data generate dummy data as per the question.

| makeresults
| eval data="5/15/18 11:00,1,Server1,1,Name1,Value1;5/15/18 11:00,1,Server1,2,Name2,Value2;5/15/18 11:00,1,Server1,3,Name3,Value3;5/15/18 11:01,2,Server1,4,Name1,Value4;5/15/18 11:01,2,Server1,5,Name2,Value5;5/15/18 11:01,2,Server1,6,Name3,Value6"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval _time=mvindex(data,0),Id=mvindex(data,1),Server=mvindex(data,2),DetailId=mvindex(data,3),Name=mvindex(data,4),Value=mvindex(data,5)
| fields - data
| eval key= _time."-".Id."-".Server
| chart values(Value) by key Name
| makemv key delim="-"
| eval _time=mvindex(key,0), Id=mvindex(key,1), Server=mvindex(key,2)
| table _time Id Server Name*
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bschaap
Path Finder
‎05-15-2018 11:19 AM

Thank you. My actual data has about 50 different name / value pairs and Splunk is placing most of these in an OTHER column. I then used the limit=0 chart option to display all fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...