Splunk Search

Pivot: distinct values as mvcombine

echalex
Builder

Hi,

I'm trying to convert a dashboard based on internal searches to one using data models. One thing I'm missing is that in the internal search I can present the values on a single line by using mvcombine. However, in a pivot, the values will be on a separate line, so the table basically becomes much higher than I want it to be. Does anyone have a nice solution for this?

Tags (3)
0 Karma
1 Solution

echalex
Builder

I was able to solve this myself, so I'm documenting the solution for the benefit of others.
Although, it can't be edited directly by the dashboard or pivot editing functionalities, but there will be a report generated, which you can edit. In there I was able to append the mvcombine. Basically, mvcombine delim=, field_name

Generated report:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

What I appended:

|mvcombine delim=, "Products checked",I found a solution for this, which I want to document.

Although this can't be done directly in pivot or by editing the dashboard itself, but there will be a corresponding report created. (You can see the name of that by editing the dashboard.) This report is of course editable as normal, and you are therefore able to append for example |mvcombine delim=, thefield.

In my example, the report generated was:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

To which I appended:

|mvcombine delim=, "Products checked"

View solution in original post

0 Karma

echalex
Builder

I was able to solve this myself, so I'm documenting the solution for the benefit of others.
Although, it can't be edited directly by the dashboard or pivot editing functionalities, but there will be a report generated, which you can edit. In there I was able to append the mvcombine. Basically, mvcombine delim=, field_name

Generated report:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

What I appended:

|mvcombine delim=, "Products checked",I found a solution for this, which I want to document.

Although this can't be done directly in pivot or by editing the dashboard itself, but there will be a corresponding report created. (You can see the name of that by editing the dashboard.) This report is of course editable as normal, and you are therefore able to append for example |mvcombine delim=, thefield.

In my example, the report generated was:

| pivot Product_Check Product_check count(Product_check) AS "Number of Products checked" values(Product) AS "Products checked" SPLITROW ShippingCountryName AS "Shipping Country" SPLITROW ShippingCountryCode AS "Country Code" SORT 100 ShippingCountryName ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

To which I appended:

|mvcombine delim=, "Products checked"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...