Solved: How to convert partial rows into columns?

splunkrocks2014 · ‎10-24-2016

Hi. I have a search query returning the result as the following format:

Application   Service    Owner   Location    Status
===========   =======    =====   ========    ======
app1          srv_1      John     Loc_1       1
app1          srv_2      John     Loc_1       2
app1          srv_3      John     Loc_1       3
app2          srv_1      Peter    Loc_2       1
app2          srv_2      Peter    Loc_2       4
app2          srv_3      Peter    Loc_2       5

And I want to convert "Service" and "Status" into columns with this format:

Application    Owner    Location    srv_1    srv_2    srv_3
===========    =====    ========    =====    =====    =====
app1           John     Loc_1        1        2        3
app2           Peter    Loc_2        1        4        5

Does anyone have any ideas?

Thanks a lot.

sundareshr · ‎10-24-2016

Try this

your current search | eval group=Application."#".Owner."#".Location | chart values(Status) as Status over group by Service | rex field=group "(?<Application>[^#]+)#(?<Owner>[^#]+)#(?<Location>.+)") | fields - group

View solution in original post

sundareshr · ‎10-24-2016

Try this

your current search | eval group=Application."#".Owner."#".Location | chart values(Status) as Status over group by Service | rex field=group "(?<Application>[^#]+)#(?<Owner>[^#]+)#(?<Location>.+)") | fields - group

splunkrocks2014 · ‎10-25-2016

Thanks a lot.

How to convert partial rows into columns?

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Community Spotlight: A Splunk Expert's Journey

Are you a member of the Splunk Community?

How to convert partial rows into columns?

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Community Spotlight: A Splunk Expert's Journey