Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you make fields into individual rows with e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that does the following:
| inputlookup system_scores.csv
| search "big search goes here"
| fields server_org both_server_desktop_score desktop_score server_score
The search gives me the my custom score for each org and the score for each type of machine (which is what I expect from the search):
server_org both_server_desktop_score desktop_score server_score
Bob 60 10 40
Alice 40 10 30
Jill 10 5 5
However, I would like to get each column into a row for each of the scores/type of device. My envision the search would look like this:
server_org server_type Score
Bob both_server_desktop_score 60
Bob desktop_score 10
Bob server_score 40
Alice both_server_desktop_score 40
Alice desktop_score 10
Alice server_score 30
Jill both_server_desktop_score 10
Jill desktop_score 5
Jill server_score 5
Is this possible? Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use
| untable server_org FieldName FieldValue
See more https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Untable
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...
| eval server_type=mvappend("both_server_desktop_score", "desktop_score", "server_score")
| eval Score=mvappend(both_server_desktop_score, desktop_score, server_score)
| eval combined=mvzip(server_type, Score, "=")
| fields server_org, combined
| mvexpand combined
| rex field=combined "(?<server_type>[^=]*)=(?<Score>.*)"
| table server_org, server_type, Score
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This appears to work as well, but the "table" command simplifies it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use
| untable server_org FieldName FieldValue
See more https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Untable
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works! Sorry it took a while to get back, this site wouldn't let me do anything on it because it was throwing 500 errors.
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Splunk Observability for AI
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
