Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to turn a multivalued field with an arbitrary number of elements into columns?

responsys_cm
Builder
‎02-19-2016 03:00 PM

I have a search that generates two fields -- host and application. Application is a multivalued field with varying numbers of results. Assume the field is comma delimited in the example below. It looks something like:

host application

server1 splunk,apache,named

server2 apache,tomcat

I would like to convert it into the following column format:

host application1 application2 application3 application4...
server1 splunk apache named
server2 apache tomcat

I know I can use eval and mvindex to manually create each column name and then transpose them, but without some kind of for loop, I would have to create a search with the eval statements up to the maximum mvindex value I expect to see.

Is there any way to do this without having to manually create each new column name?

Thx.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 03:36 PM

Try something like this 

your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?<type>\w+)#(?<application>.*)" | chart values(application) over host by type limit=0

View solution in original post

Reply
Solved! Jump to solution

pretzel2
Path Finder
‎12-29-2020 01:12 PM

Awesome search!     Thank you VERY much. 

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-19-2016 03:36 PM

Try something like this 

your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?<type>\w+)#(?<application>.*)" | chart values(application) over host by type limit=0
Reply
Solved! Jump to solution

_jgpm_
Communicator
‎10-19-2017 09:04 AM

Very powerful transaction. This should be a native command.

0 Karma
Reply
Solved! Jump to solution

responsys_cm
Builder
‎02-19-2016 03:58 PM

Let no one ever say you aren't a Splunk ninja. Thank you so much!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...