Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting columns into rows

greg_cox1979
New Member
‎08-16-2018 06:30 AM

Hi Splunk Gurus,

I have an unusual requirement where I need to create two rows from one:

A | B | C |D | E

to

Row 1 - A | B | C | D
Row 2 - A | B | C | E

I think i could achieve this by using APPEND but the query is very complex so I dont want to have to run it twice unless maybe it can be referenced and then queried twice if that makes sense ?

Apologies in advance if I haven't made myself clear !

Thanks in advance,

Greg

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-16-2018 08:10 AM

Generally you could do something like this, but can't be sure whether this will work for your use-case or not. Try these out and if it doesn't work, possible share you current search

your current search giving field A B C D E
| eval data=mvappend(D,E) | fields - D E
| mvexpand data
| table A B C data

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-16-2018 08:10 AM

Generally you could do something like this, but can't be sure whether this will work for your use-case or not. Try these out and if it doesn't work, possible share you current search

your current search giving field A B C D E
| eval data=mvappend(D,E) | fields - D E
| mvexpand data
| table A B C data
0 Karma
Reply
Solved! Jump to solution

greg_cox1979
New Member
‎08-17-2018 02:32 AM

Thanks so much that worked with a little tweak:

your current search giving field A B C D E
| eval data=mvappend(D,E)
| mvexpand data
| table A B C data

Cheers !
Greg

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-18-2018 02:21 AM

@greg_cox1979 greg_cplease accept Somesh Soni's answer if your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...