Solved: Field values as column name

email2vimalraj · ‎08-18-2019

I've search results something like this:

customerid    tracingid     API     Status
1221          ab3d3         API1    200
1221          ab3d3         API2    400
1221          abcc2         API1    500
1222          abbd333       API1    200
1222          abbd333       API2    200

What I wanted is something like this:

customerid    tracingid   API1  API2
1221          ab3d3       200   400
1221          abcc2       500
1222          abbd333     200   200

I've tried something like what shown here: https://answers.splunk.com/answers/69108/query-results-with-field-values-as-column-header.html, but since I'm new to splunk search, I'm unable to find how do I get without counts.

kamlesh_vaghela · ‎08-19-2019

@email2vimalraj

You can try any from below.

1)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval temp= customerid."-".tracingid
| xyseries temp API Status | eval customerid=mvindex(split(temp,"-"),0),tracingid=mvindex(split(temp,"-"),1) | fields - temp | table  customerid tracingid *

2)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval {API}=Status | fields - API,Status | stats values(*) as * by customerid,tracingid

Thanks

View solution in original post

kamlesh_vaghela · ‎08-19-2019

@email2vimalraj

You can try any from below.

1)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval temp= customerid."-".tracingid
| xyseries temp API Status | eval customerid=mvindex(split(temp,"-"),0),tracingid=mvindex(split(temp,"-"),1) | fields - temp | table  customerid tracingid *

2)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval {API}=Status | fields - API,Status | stats values(*) as * by customerid,tracingid

Thanks

renjith_nair · ‎08-19-2019

@email2vimalraj ,

Try

"your search"|eval {API}=Status|fields - API,Status
|stats values(*) as * by customerid,tracingid

---
What goes around comes around. If it helps, hit it with Karma 🙂

Field values as column name

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation