Splunk Search

How to get multiple values of one id in different columns

renuka
Path Finder

I got the output in the form of

search is : stats values(status) by id..

Id   status

IDStatus
1

Agreed

N/A

Negoiate

2

Agreed

Submitted

I want to get the values in different column as given below

IDStatus
1Agreed
1N/A
1

Negoiate

2Agreed
2Submitted

 For refference i attached the screenshot below..Can you please Suggest me with the 

Labels (3)
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

It wouldn't work as expected if you have multiple multivalue fields created out of a common field especially if they have different number of items. Ideally you should stitch them together with mvzip and expand later.

However in your case, of the number of fields are defined, why dont you try

|stats count by modulename,field1,field2,field3 etc |fields - count

 

View solution in original post

0 Karma

anthonyconstant
Engager

This is great. Anthony Constantinou CWM appreciate your effort.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Try one of these

|stats count by status,id|fields - count

OR

|mvexpand status

 

0 Karma

renuka
Path Finder

After using mvexpand it's giving me the same output..

0 Karma

ITWhisperer
Ultra Champion

Please check the spelling and case of the mvexpand field because it should have worked. If it is still not working, please share your query (preferably in a code block)

0 Karma

renuka
Path Finder

I am getting answer by mvexpand DA_status_variant name

but problem is i have n number of variant names in my data..id i give DA_status_* it is not taking..can y ou suggest for it..so that irrespective of variant name it should expand

 

 

Tags (2)
0 Karma

ITWhisperer
Ultra Champion

What is it that you are hoping to see (for the example in your screenshot)?

0 Karma

renuka
Path Finder

Example in screenshot

I tried by MV expand for status_variantname

but i have many number of variant names in my data,if i give

mvexpand Status_*,it is not giving any output,

Irrespective of variant name i need to expand the values in the fields...

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

It wouldn't work as expected if you have multiple multivalue fields created out of a common field especially if they have different number of items. Ideally you should stitch them together with mvzip and expand later.

However in your case, of the number of fields are defined, why dont you try

|stats count by modulename,field1,field2,field3 etc |fields - count

 

View solution in original post

0 Karma

renuka
Path Finder

THANK YOU renjith

0 Karma

ITWhisperer
Ultra Champion
| mvexpand Status
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!