Solved: Re: Put fields results under other fields

matansocher · ‎02-21-2018

Hi,

I have my query that return a table with 4 fields: A1, B1, A2, A2. I want to create a new table that contains 2 fields: A and B.

example:
current table -

desired table -

I would like to achieve that without running on the events again and append the results.

is there an efficient way to do that?

thanks

mayurr98 · ‎02-21-2018

hey try this run anywhere search

| makeresults 
| eval A1="1",B1="2",A2="3",B2="4" 
| append 
    [| makeresults 
    | eval A1="5",B1="6",A2="7",B2="8"] 
| append 
    [| makeresults 
    | eval A1="9",B1="10",A2="10",B2="11"] 
| eval A=A1+":"+B1,B=A2+":"+B2 
| table A B 
| eval C=mvzip(A,B) 
| makemv delim="," C 
| mvexpand C 
| rex field=C "(?<A>[^\:]+)\:(?<B>.*)" 
| table A B

In your environment, you should try

<table with columns A1,A2,B1,B2> 
| eval A=A1+":"+B1,B=A2+":"+B2 
| table A B 
| eval C=mvzip(A,B) 
| makemv delim="," C 
| mvexpand C 
| rex field=C "(?<A>[^\:]+)\:(?<B>.*)" 
| table A B

let me know if this helps!

View solution in original post

mayurr98 · ‎02-21-2018

hey try this run anywhere search

| makeresults 
| eval A1="1",B1="2",A2="3",B2="4" 
| append 
    [| makeresults 
    | eval A1="5",B1="6",A2="7",B2="8"] 
| append 
    [| makeresults 
    | eval A1="9",B1="10",A2="10",B2="11"] 
| eval A=A1+":"+B1,B=A2+":"+B2 
| table A B 
| eval C=mvzip(A,B) 
| makemv delim="," C 
| mvexpand C 
| rex field=C "(?<A>[^\:]+)\:(?<B>.*)" 
| table A B

In your environment, you should try

<table with columns A1,A2,B1,B2> 
| eval A=A1+":"+B1,B=A2+":"+B2 
| table A B 
| eval C=mvzip(A,B) 
| makemv delim="," C 
| mvexpand C 
| rex field=C "(?<A>[^\:]+)\:(?<B>.*)" 
| table A B

let me know if this helps!

matansocher · ‎02-21-2018

great workaround! thanks

Put fields results under other fields

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!