How to format multi-value table

paulholguin · ‎09-26-2019

I need help formatting a mulitvalue field, the desired output below, followed by data in the field.

For the data in each event, we need 5 field-values in each row, hope this makes sense...

Desired output:

_time Field-Name
2019-09-25 13:45:15.810 000101194,000005090,000000845,000962003
000962000,000962002,000962004,000024909
000962001,000038594
_time Field-Name
2019-09-25 13:47:15.810 000101194,000005090,000000845,000962003
000962000,000962002,000962004,000024909
000962001,000038594,000962004,000024909
Data In field

000101194;000005090;000000845;000962003;000962000;000962002;000962004;000024909;000962001;000038594
000101194;000005090;000000845;000962003;000962000;000962002;000962004;000024909;000962001;000038594;000962001;00003859

paulholguin · ‎09-27-2019

| eval TradingPartnerKPGroupNum=TradingPartnerKPGroupNum + ";"
| makemv tokenizer="(([\d]*[;]){1,5})" TradingPartnerKPGroupNum
| eval TradingPartnerKPGroupNum=rtrim(TradingPartnerKPGroupNum, ";")

Anantha123 · ‎09-26-2019

Try this

query | eval fieldName = field1+","+field2+","+field3+","+field4+","+field5 | table _time fieldName

paulholguin · ‎09-27-2019

I created this, works well, thanks for you support.

| eval TradingPartnerKPGroupNum=TradingPartnerKPGroupNum + ";"
| makemv tokenizer="(([\d]*[;]){1,5})" TradingPartnerKPGroupNum
| eval TradingPartnerKPGroupNum=rtrim(TradingPartnerKPGroupNum, ";")

How to format multi-value table

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?

Are you a member of the Splunk Community?

How to format multi-value table

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?