Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- I am trying to create a multivalue where I should ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gemrose
Explorer
06-27-2022
11:12 PM
For example if my data is
platform = "operational", task="draft||draft-published",jobstart="2021-06-27T15:46:08.34666||2021-06-27T18:46:08.70000, jobend="2021-06-28T12:86:08.37836||2021-06-28T18:46:08.70990"
I need in the below format. I tried makemv delim="||" task but this happens for only one field. Is there any other option available ?
| platform | task | jobstart | jobend |
| operational | draft | 2021-06-27T15:46:08.34666 | 2021-06-28T12:86:08.37836 |
| operational | draft-published | 2021-06-27T18:46:08.70000 | 2021-06-28T18:46:08.70990 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danielcj
Communicator
06-27-2022
11:23 PM
Hello,
Please try the following (The first two lines are just to mock your data as an example):
| makeresults
| eval platform = "operational", task="draft||draft-published",jobstart="2021-06-27T15:46:08.34666||2021-06-27T18:46:08.70000", jobend="2021-06-28T12:86:08.37836||2021-06-28T18:46:08.70990"
| eval jobstart = split(jobstart, "||"), task = split(task,"||"), jobend = split(jobend,"||")
| eval multivalue = mvzip(mvzip(task, jobstart), jobend)
| mvexpand multivalue
| makemv multivalue delim=","
| eval task = mvindex(multivalue, 0), jobstart = mvindex(multivalue, 1), jobend = mvindex(multivalue, -1)
| table platform, task, jobstart, jobend- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gemrose
Explorer
06-28-2022
04:57 AM
Thank you @danielcj. your solution helped me a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danielcj
Communicator
06-27-2022
11:23 PM
Hello,
Please try the following (The first two lines are just to mock your data as an example):
| makeresults
| eval platform = "operational", task="draft||draft-published",jobstart="2021-06-27T15:46:08.34666||2021-06-27T18:46:08.70000", jobend="2021-06-28T12:86:08.37836||2021-06-28T18:46:08.70990"
| eval jobstart = split(jobstart, "||"), task = split(task,"||"), jobend = split(jobend,"||")
| eval multivalue = mvzip(mvzip(task, jobstart), jobend)
| mvexpand multivalue
| makemv multivalue delim=","
| eval task = mvindex(multivalue, 0), jobstart = mvindex(multivalue, 1), jobend = mvindex(multivalue, -1)
| table platform, task, jobstart, jobend
Get Updates on the Splunk Community!
.conf25 Community Recap
Hello Splunkers,
And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...
Splunk App Developers | .conf25 Recap & What’s Next
If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
