Splunk Search

How to get multiple values of one id in different columns

renuka
Path Finder

I got the output in the form of

search is : stats values(status) by id..

Id   status

IDStatus
1

Agreed

N/A

Negoiate

2

Agreed

Submitted

I want to get the values in different column as given below

IDStatus
1Agreed
1N/A
1

Negoiate

2Agreed
2Submitted

 For refference i attached the screenshot below..Can you please Suggest me with the 

Labels (3)
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

It wouldn't work as expected if you have multiple multivalue fields created out of a common field especially if they have different number of items. Ideally you should stitch them together with mvzip and expand later.

However in your case, of the number of fields are defined, why dont you try

|stats count by modulename,field1,field2,field3 etc |fields - count

 

Happy Splunking!

View solution in original post

0 Karma

anthonyconstant
Engager

This is great. Anthony Constantinou CWM appreciate your effort.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Try one of these

|stats count by status,id|fields - count

OR

|mvexpand status

 

Happy Splunking!
0 Karma

renuka
Path Finder

After using mvexpand it's giving me the same output..

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please check the spelling and case of the mvexpand field because it should have worked. If it is still not working, please share your query (preferably in a code block)

0 Karma

renuka
Path Finder

I am getting answer by mvexpand DA_status_variant name

but problem is i have n number of variant names in my data..id i give DA_status_* it is not taking..can y ou suggest for it..so that irrespective of variant name it should expand

 

 

Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is it that you are hoping to see (for the example in your screenshot)?

0 Karma

renuka
Path Finder

Example in screenshot

I tried by MV expand for status_variantname

but i have many number of variant names in my data,if i give

mvexpand Status_*,it is not giving any output,

Irrespective of variant name i need to expand the values in the fields...

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

It wouldn't work as expected if you have multiple multivalue fields created out of a common field especially if they have different number of items. Ideally you should stitch them together with mvzip and expand later.

However in your case, of the number of fields are defined, why dont you try

|stats count by modulename,field1,field2,field3 etc |fields - count

 

Happy Splunking!
0 Karma

renuka
Path Finder

THANK YOU renjith

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| mvexpand Status
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...