Solved: Is it possible to turn a multivalued field with an...

responsys_cm · ‎02-19-2016

I have a search that generates two fields -- host and application. Application is a multivalued field with varying numbers of results. Assume the field is comma delimited in the example below. It looks something like:

host application

server1 splunk,apache,named

server2 apache,tomcat

I would like to convert it into the following column format:

host application1 application2 application3 application4...
server1 splunk apache named
server2 apache tomcat

I know I can use eval and mvindex to manually create each column name and then transpose them, but without some kind of for loop, I would have to create a search with the eval statements up to the maximum mvindex value I expect to see.

Is there any way to do this without having to manually create each new column name?

Thx.

somesoni2 · ‎02-19-2016

Try something like this

your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?<type>\w+)#(?<application>.*)" | chart values(application) over host by type limit=0

View solution in original post

responsys_cm · ‎02-19-2016

Let no one ever say you aren't a Splunk ninja. Thank you so much!

_jgpm_ · ‎10-19-2017

Very powerful transaction. This should be a native command.

Is it possible to turn a multivalued field with an arbitrary number of elements into columns?

Re: Is it possible to turn a multivalued field with an arbitrary number of elements into columns?

Re: Is it possible to turn a multivalued field with an arbitrary number of elements into columns?

Re: Is it possible to turn a multivalued field with an arbitrary number of elements into columns?