Solved: Re: Field values as column name

email2vimalraj · ‎08-18-2019

I've search results something like this:

customerid    tracingid     API     Status
1221          ab3d3         API1    200
1221          ab3d3         API2    400
1221          abcc2         API1    500
1222          abbd333       API1    200
1222          abbd333       API2    200

What I wanted is something like this:

customerid    tracingid   API1  API2
1221          ab3d3       200   400
1221          abcc2       500
1222          abbd333     200   200

I've tried something like what shown here: https://answers.splunk.com/answers/69108/query-results-with-field-values-as-column-header.html, but since I'm new to splunk search, I'm unable to find how do I get without counts.

kamlesh_vaghela · ‎08-19-2019

@email2vimalraj

You can try any from below.

1)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval temp= customerid."-".tracingid
| xyseries temp API Status | eval customerid=mvindex(split(temp,"-"),0),tracingid=mvindex(split(temp,"-"),1) | fields - temp | table  customerid tracingid *

2)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval {API}=Status | fields - API,Status | stats values(*) as * by customerid,tracingid

Thanks

View solution in original post

kamlesh_vaghela · ‎08-19-2019

@email2vimalraj

You can try any from below.

1)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval temp= customerid."-".tracingid
| xyseries temp API Status | eval customerid=mvindex(split(temp,"-"),0),tracingid=mvindex(split(temp,"-"),1) | fields - temp | table  customerid tracingid *

2)

| makeresults 
| eval _raw=" customerid    tracingid     API     Status
 1221          ab3d3         API1    200
 1221          ab3d3         API2    400
 1221          abcc2         API1    500
 1222          abbd333       API1    200
 1222          abbd333       API2    200" 
| multikv 
| table customerid tracingid API Status | eval {API}=Status | fields - API,Status | stats values(*) as * by customerid,tracingid

Thanks

renjith_nair · ‎08-19-2019

@email2vimalraj ,

Try

"your search"|eval {API}=Status|fields - API,Status
|stats values(*) as * by customerid,tracingid

---
What goes around comes around. If it helps, hit it with Karma 🙂

Field values as column name

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Field values as column name

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard