Solved: Re: How to convert partial rows into columns?

splunkrocks2014 · ‎10-24-2016

Hi. I have a search query returning the result as the following format:

Application   Service    Owner   Location    Status
===========   =======    =====   ========    ======
app1          srv_1      John     Loc_1       1
app1          srv_2      John     Loc_1       2
app1          srv_3      John     Loc_1       3
app2          srv_1      Peter    Loc_2       1
app2          srv_2      Peter    Loc_2       4
app2          srv_3      Peter    Loc_2       5

And I want to convert "Service" and "Status" into columns with this format:

Application    Owner    Location    srv_1    srv_2    srv_3
===========    =====    ========    =====    =====    =====
app1           John     Loc_1        1        2        3
app2           Peter    Loc_2        1        4        5

Does anyone have any ideas?

Thanks a lot.

sundareshr · ‎10-24-2016

Try this

your current search | eval group=Application."#".Owner."#".Location | chart values(Status) as Status over group by Service | rex field=group "(?<Application>[^#]+)#(?<Owner>[^#]+)#(?<Location>.+)") | fields - group

View solution in original post

sundareshr · ‎10-24-2016

Try this

your current search | eval group=Application."#".Owner."#".Location | chart values(Status) as Status over group by Service | rex field=group "(?<Application>[^#]+)#(?<Owner>[^#]+)#(?<Location>.+)") | fields - group

splunkrocks2014 · ‎10-25-2016

Thanks a lot.

How to convert partial rows into columns?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation