Solved: Changing rows to columns and maintaining associati...

_Mauro_Costa_ · ‎05-17-2021

Hello,
I have a table of items and I need to convert the results in the rows "pa_name" and "pa_valor" to columns and keep the relacion of each one.

An example, I have this:

index="items" id IN (3438776 3131202 3438780)
| stats latest(pa_nome) AS pa_nome
latest(ipa_valor) AS ipa_valor
BY id
| makemv delim=";" pa_nome
| makemv delim=";" ipa_valor

I want this:

Can someone help me?

ITWhisperer · ‎05-17-2021

| makeresults
| eval _raw="id,pa_nome,ipa_valor
3131202,MAC Address,D0765812D877
3438776,ID de Projeto;Serial Number,PCW.609.20;CNJDJSS4X4
3438780,Serial Number;ID de Projeto,CNJDJSS9GS;PCW.609.20"
| multikv forceheader=1
| fields - _* linecount 


| makemv delim=";" pa_nome
| makemv delim=";" ipa_valor
| streamstats count as row
| mvexpand pa_nome
| streamstats count as index by row
| eval ipa_valor=mvindex(ipa_valor,index-1)
| eval {pa_nome}=ipa_valor
| fields - index ipa_valor pa_nome
| stats values(*) as * by row
| fields - row
| table id *

View solution in original post

kamlesh_vaghela · ‎05-17-2021

@_Mauro_Costa_

You ca try this also.

YOUR_SEARCH
| eval t=mvzip(ipa_valor,pa_nome) |mvexpand t | eval ipa_valor=mvindex(split(t,","),0),pa_nome=mvindex(split(t,","),1) | chart values(ipa_valor) over id by pa_nome

Sample Search:

| makeresults 
| eval d= "id=3131202 ,pa_nome=\"MAC Address\",ipa_valor=\"D0765\"|id=3131266 ,pa_nome=\"ID De Projecto,Serial Number\",ipa_valor=\"PCW,CNJ\"|id=3131780 ,pa_nome=\"Serial Number,ID De Projecto\",ipa_valor=\"CNJ,PCW\"
    " | eval d=split(d,"|") 
| mvexpand d | eval _raw=d | kv | fields - d, _raw
| eval ipa_valor=split(ipa_valor,","),pa_nome=split(pa_nome,",")
| rename comment as "Upto Now is sample data only" 
| eval t=mvzip(ipa_valor,pa_nome) |mvexpand t | eval ipa_valor=mvindex(split(t,","),0),pa_nome=mvindex(split(t,","),1) | chart values(ipa_valor) over id by pa_nome

Thanks
KV
▄︻̷̿┻̿═━一

If this reply helps you, an upvote would be appreciated.

ITWhisperer · ‎05-17-2021

| makeresults
| eval _raw="id,pa_nome,ipa_valor
3131202,MAC Address,D0765812D877
3438776,ID de Projeto;Serial Number,PCW.609.20;CNJDJSS4X4
3438780,Serial Number;ID de Projeto,CNJDJSS9GS;PCW.609.20"
| multikv forceheader=1
| fields - _* linecount 


| makemv delim=";" pa_nome
| makemv delim=";" ipa_valor
| streamstats count as row
| mvexpand pa_nome
| streamstats count as index by row
| eval ipa_valor=mvindex(ipa_valor,index-1)
| eval {pa_nome}=ipa_valor
| fields - index ipa_valor pa_nome
| stats values(*) as * by row
| fields - row
| table id *

renjith_nair · ‎05-17-2021

Try

|eval {pa_nome}=ipa_valor

Happy Splunking!

Changing rows to columns and maintaining association

fields

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...