Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to split stats values() into other rows?

bofasplunkguy
Explorer
‎05-09-2019 09:35 AM

I am trying to show a "primary" and "secondary" IP in rows to recreate a spreadsheet. I currently have a search like:

search query | stats values (IP) as IPs by user

This will return all of my users, with the corresponding IPs. Some users have only one, while others also have a secondary. I would like the primary and secondary to be separate columns, rather than having both combined in a single cell. I was trying to use rex to separate them, but my fields come back empty:

|rex field=IPs "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})[\r\n]"(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
|table user primary secondary

I think the issue is with the linebreak [r/n] as I can extract just the primary this way. Please advise how to split the stats values into separate rows, either using regex or if there is a better way.

Tags (1)
0 Karma
Reply

Habanero
Explorer
‎05-10-2024 07:18 AM

Hello @bofasplunkguy,

I am in the same predicament as yours. Did you ever find an answer to your problem?

0 Karma
Reply

DanielPi
Moderator
Moderator
‎05-10-2024 08:52 AM

Hi @Habanero,

I’m a Community Moderator in the Splunk Community.

This question was posted 5 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

0 Karma
Reply

Vijeta
Influencer
‎05-09-2019 09:56 AM

You can try mvexpand-

search query | stats values (IP) as IPs by user | mvexpand IPs
Reply

bofasplunkguy
Explorer
‎05-09-2019 10:08 AM

mvexpand breaks the values back into separate rows, which is how they already are before the stats values() command.

I want these in separate columns, not separate rows. Does that make sense? I want to end up with a table with three columns like:

| table user primary secondary

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...