Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to format multi-value table

paulholguin
New Member
‎09-26-2019 10:01 AM

I need help formatting a mulitvalue field, the desired output below, followed by data in the field.

For the data in each event, we need 5 field-values in each row, hope this makes sense...

Desired output:

_time Field-Name
2019-09-25 13:45:15.810 000101194,000005090,000000845,000962003
000962000,000962002,000962004,000024909
000962001,000038594
_time Field-Name
2019-09-25 13:47:15.810 000101194,000005090,000000845,000962003
000962000,000962002,000962004,000024909
000962001,000038594,000962004,000024909
Data In field

000101194;000005090;000000845;000962003;000962000;000962002;000962004;000024909;000962001;000038594
000101194;000005090;000000845;000962003;000962000;000962002;000962004;000024909;000962001;000038594;000962001;00003859

0 Karma
Reply

paulholguin
New Member
‎09-27-2019 07:48 AM

| eval TradingPartnerKPGroupNum=TradingPartnerKPGroupNum + ";"
| makemv tokenizer="(([\d]*[;]){1,5})" TradingPartnerKPGroupNum
| eval TradingPartnerKPGroupNum=rtrim(TradingPartnerKPGroupNum, ";")

0 Karma
Reply

Anantha123
Communicator
‎09-26-2019 10:18 AM

Try this

query
| eval fieldName = field1+","+field2+","+field3+","+field4+","+field5
| table _time fieldName

0 Karma
Reply

paulholguin
New Member
‎09-27-2019 07:48 AM

I created this, works well, thanks for you support.

| eval TradingPartnerKPGroupNum=TradingPartnerKPGroupNum + ";"
| makemv tokenizer="(([\d]*[;]){1,5})" TradingPartnerKPGroupNum
| eval TradingPartnerKPGroupNum=rtrim(TradingPartnerKPGroupNum, ";")

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...