Splunk Search

How to get multiple values of one id in different columns

renuka
Path Finder

I got the output in the form of

search is : stats values(status) by id..

Id   status

IDStatus
1

Agreed

N/A

Negoiate

2

Agreed

Submitted

I want to get the values in different column as given below

IDStatus
1Agreed
1N/A
1

Negoiate

2Agreed
2Submitted

 For refference i attached the screenshot below..Can you please Suggest me with the 

Labels (3)
1 Solution

renjith_nair
Legend

It wouldn't work as expected if you have multiple multivalue fields created out of a common field especially if they have different number of items. Ideally you should stitch them together with mvzip and expand later.

However in your case, of the number of fields are defined, why dont you try

|stats count by modulename,field1,field2,field3 etc |fields - count

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

anthonyconstant
Engager

This is great. Anthony Constantinou CWM appreciate your effort.

0 Karma

renjith_nair
Legend

Try one of these

|stats count by status,id|fields - count

OR

|mvexpand status

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

renuka
Path Finder

After using mvexpand it's giving me the same output..

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please check the spelling and case of the mvexpand field because it should have worked. If it is still not working, please share your query (preferably in a code block)

0 Karma

renuka
Path Finder

I am getting answer by mvexpand DA_status_variant name

but problem is i have n number of variant names in my data..id i give DA_status_* it is not taking..can y ou suggest for it..so that irrespective of variant name it should expand

 

 

Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is it that you are hoping to see (for the example in your screenshot)?

0 Karma

renuka
Path Finder

Example in screenshot

I tried by MV expand for status_variantname

but i have many number of variant names in my data,if i give

mvexpand Status_*,it is not giving any output,

Irrespective of variant name i need to expand the values in the fields...

0 Karma

renjith_nair
Legend

It wouldn't work as expected if you have multiple multivalue fields created out of a common field especially if they have different number of items. Ideally you should stitch them together with mvzip and expand later.

However in your case, of the number of fields are defined, why dont you try

|stats count by modulename,field1,field2,field3 etc |fields - count

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

renuka
Path Finder

THANK YOU renjith

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| mvexpand Status
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...