Splunk Search

Pivot: distinct values as mvcombine

echalex
Builder

Hi,

I'm trying to convert a dashboard based on internal searches to one using data models. One thing I'm missing is that in the internal search I can present the values on a single line by using mvcombine. However, in a pivot, the values will be on a separate line, so the table basically becomes much higher than I want it to be. Does anyone have a nice solution for this?

Tags (3)
0 Karma
1 Solution

echalex
Builder

I was able to solve this myself, so I'm documenting the solution for the benefit of others.
Although, it can't be edited directly by the dashboard or pivot editing functionalities, but there will be a report generated, which you can edit. In there I was able to append the mvcombine. Basically, mvcombine delim=, field_name

Generated report:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

What I appended:

|mvcombine delim=, "Products checked",I found a solution for this, which I want to document.

Although this can't be done directly in pivot or by editing the dashboard itself, but there will be a corresponding report created. (You can see the name of that by editing the dashboard.) This report is of course editable as normal, and you are therefore able to append for example |mvcombine delim=, thefield.

In my example, the report generated was:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

To which I appended:

|mvcombine delim=, "Products checked"

View solution in original post

0 Karma

echalex
Builder

I was able to solve this myself, so I'm documenting the solution for the benefit of others.
Although, it can't be edited directly by the dashboard or pivot editing functionalities, but there will be a report generated, which you can edit. In there I was able to append the mvcombine. Basically, mvcombine delim=, field_name

Generated report:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

What I appended:

|mvcombine delim=, "Products checked",I found a solution for this, which I want to document.

Although this can't be done directly in pivot or by editing the dashboard itself, but there will be a corresponding report created. (You can see the name of that by editing the dashboard.) This report is of course editable as normal, and you are therefore able to append for example |mvcombine delim=, thefield.

In my example, the report generated was:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

To which I appended:

|mvcombine delim=, "Products checked"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...