Splunk Search

How to change the output format of search results?

Engager

Using my splunk query, I am getting the output as follows (X and Y are headers)-

X         Y
-----------
1        A
         B
         C
2        A
         B
         C
3        A
         B
         C
4        A
         B
         C

But I need the output in the below format -

X         Y
-----------
1         A
1         B
1         C
2         A
2         B
2         C
3         A
3         B
3         C
4         A
4         B
4         C

I tried using stats, list, and other formatting commands but it didn't work for me.
Can I get any help? Thanks in advance....

0 Karma
1 Solution

Legend

I assume your query looks like this (you may have list, instead of values)

base search | stats values(y) as y by x

change this to...

base search | stats values(y) as y by x | mvexpand y

View solution in original post

Legend

I assume your query looks like this (you may have list, instead of values)

base search | stats values(y) as y by x

change this to...

base search | stats values(y) as y by x | mvexpand y

View solution in original post

Champion

Good learnings, Sundaresh Sir.

0 Karma