Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert partial rows into columns?

splunkrocks2014
Communicator
‎10-24-2016 02:34 PM

Hi. I have a search query returning the result as the following format:

Application   Service    Owner   Location    Status
===========   =======    =====   ========    ======
app1          srv_1      John     Loc_1       1
app1          srv_2      John     Loc_1       2
app1          srv_3      John     Loc_1       3
app2          srv_1      Peter    Loc_2       1
app2          srv_2      Peter    Loc_2       4
app2          srv_3      Peter    Loc_2       5

And I want to convert "Service" and "Status" into columns with this format:

Application    Owner    Location    srv_1    srv_2    srv_3
===========    =====    ========    =====    =====    =====
app1           John     Loc_1        1        2        3
app2           Peter    Loc_2        1        4        5

Does anyone have any ideas?

Thanks a lot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-24-2016 02:40 PM

Try this

your current search | eval group=Application."#".Owner."#".Location | chart values(Status) as Status over group by Service | rex field=group "(?<Application>[^#]+)#(?<Owner>[^#]+)#(?<Location>.+)") | fields - group

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-24-2016 02:40 PM

Try this

your current search | eval group=Application."#".Owner."#".Location | chart values(Status) as Status over group by Service | rex field=group "(?<Application>[^#]+)#(?<Owner>[^#]+)#(?<Location>.+)") | fields - group
0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎10-25-2016 08:40 AM

Thanks a lot.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...