Splunk Search

How do I expand rows in a lookup into columns?

ajdyer2000
Path Finder

Hi

Still learning the language. Hopefully this is a simple one.

I have a lookup that displays as

Computer1 user1 user2 user3
Computer2 user1 user 2 user3
Computer 3 user1 user2 user3

I would like it to display

Computer1 user1
Computer1 user2
Computer1 user3
Computer2 user1
Computer2 user2
Computer2 user3
Computer3 user1
Computer3 user2
Computer3 user3

0 Karma

somesoni2
Revered Legend

Found one method (assuming first field in your lookup is host)

| inputlookup yourlookup.csv | untable host fields users | table host users

lguinn2
Legend

Not really that simple, but possible. Assume that the fields containing the user names are called "name1,name2,name3" and that the pipe symbol "|" cannot appear in the user names.

Do this

yoursearch or lookup
| eval User = name1 . "|"  name2 . "|"  name3
|  makemv delim="|" User
| mvexpand User

First this concatenates the user names into a single field delimited by "|". The makemv command turns that field into a multi-valued field. Finally the mvxexpand command makes a separate result for each value of the multi-valued field.

0 Karma

somesoni2
Revered Legend

Is the number of columns fixed?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...