Hi Splunk Gurus,
I have an unusual requirement where I need to create two rows from one:
A | B | C |D | E
to
Row 1 - A | B | C | D
Row 2 - A | B | C | E
I think i could achieve this by using APPEND but the query is very complex so I dont want to have to run it twice unless maybe it can be referenced and then queried twice if that makes sense ?
Apologies in advance if I haven't made myself clear !
Thanks in advance,
Greg
Generally you could do something like this, but can't be sure whether this will work for your use-case or not. Try these out and if it doesn't work, possible share you current search
your current search giving field A B C D E
| eval data=mvappend(D,E) | fields - D E
| mvexpand data
| table A B C data
Generally you could do something like this, but can't be sure whether this will work for your use-case or not. Try these out and if it doesn't work, possible share you current search
your current search giving field A B C D E
| eval data=mvappend(D,E) | fields - D E
| mvexpand data
| table A B C data
Thanks so much that worked with a little tweak:
your current search giving field A B C D E
| eval data=mvappend(D,E)
| mvexpand data
| table A B C data
Cheers !
Greg
@greg_cox1979 greg_cplease accept Somesh Soni's answer if your issue is resolved.