Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Convert single row values to multiple rows
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Convert single row values to multiple rows
Hi Srinath,
Srinath USER1 IND0010001
USER2 IND0010002
USER3 IND0010003
how to convert above single row values to seperate rows like below
Srinath USER1 IND0010001
Srinath USER2 IND0010002
Srinath USER3 IND0010003
Thanks,
Srinath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=test sourcetype=testuser | makemv delim="xFD" APPLICATION | makemv delim="xFD" COMPANY | makemv delim="xFD" FUNCTION | stats list(APPLICATION) as application, list(COMPANY_RESTR) as company, list(FUNCTION) as function by USER_NAME | eval temp=mvzip(mvzip(application,company,"#"),function,"#") | mvexpand temp | rex field=temp "(?<application>.*)#(?<company>.*)#(?<function>.*)" | fields - temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also need to do this..... would you please explain me the code I didn't understood.
What is APPLICATION, FUNCTION... and USER_NAME here ? and how does it works- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is fetching the first record for each user if any of the field which is used in the mvzip is null otherwise it is fetching all the records. It is working well if all the values present.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot.. it is working well
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you get the results that you are showing? What was the original search string? What does the data look like? Without this information, I don't think the community can help much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the search quiery
index=test sourcetype=testuser | makemv delim="\xFD" APPLICATION | makemv delim="\xFD" COMPANY | makemv delim="\xFD" FUNCTION | stats list(APPLICATION) as application, list(COMPANY_RESTR) as company, list(FUNCTION) as function by USER_NAME
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
