Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What data transform approach should I use with this? MV, tranpose, ...?

ChioNeng
Explorer
‎08-13-2020 08:24 AM
Im kinda newbie here in splunk. Whats the difference between multivalue and transpose command? how can i convert this input to this desired output? (see tables below) Is Multivalue or transpose command can manage this?

For a newbie like me those commands is kinda tricky. Many thanks in advance
 

input:

Field1Field2Country1-Jun1-Jul1-Aug1-Sep1-Oct
XABThailand2323433111
YCDSingapore232125222
ZEFPhilippines3156438423

 

output:

Field1Field2CountryMonthValue
XABThailand1-Jun23
XABThailand1-Jul2343
XABThailand1-Aug31
XABThailand1-Sep1
XABThailand1-Oct 1
YCDSingapore1-Jun2
YCDSingapore1-Jul321
YCDSingapore1-Aug2
YCDSingapore1-Sep52
YCDSingapore1-Oct 22
ZEFPhilippines1-Jun31
ZEFPhilippines1-Jul56
ZEFPhilippines1-Aug43
ZEFPhilippines1-Sep84
ZEFPhilippines1-Oct 23
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎08-13-2020 07:34 PM 
| makeresults 
| eval _raw="Field1	Field2	Country	1_Jun	1_Jul	1_Aug	1_Sep	1_Oct
X	AB	Thailand	23	2343	31	1	1
Y	CD	Singapore	2	321	2	52	22
Z	EF	Philippines	31	56	43	84	23" 
| multikv 
| table Field1 Field2 Country 1_Jun 1_Jul 1_Aug 1_Sep 1_Oct 
| foreach 1_* 
    [ rename <<FIELD>> as 1-<<MATCHSTR>>] 
| rename COMMENT as "this is your sample. from here, the logic"    
| eval tmp=mvzip(Field1,mvzip(Field2,Country)) 
| fields - F* Country 
| untable tmp Month Value 
| rex field=tmp "(?<Field1>[^,]+),(?<Field2>[^,]+),(?<Country>.*)" 
| fields - tmp 
| eval Month=strptime(Month."2019","%d-%b%Y") 
| table Field* Country Month Value 
| fieldformat Month=strftime(Month,"%d-%b") 
| sort Field1 Month

mvexpand or tranpose is not need.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎08-13-2020 07:34 PM 
| makeresults 
| eval _raw="Field1	Field2	Country	1_Jun	1_Jul	1_Aug	1_Sep	1_Oct
X	AB	Thailand	23	2343	31	1	1
Y	CD	Singapore	2	321	2	52	22
Z	EF	Philippines	31	56	43	84	23" 
| multikv 
| table Field1 Field2 Country 1_Jun 1_Jul 1_Aug 1_Sep 1_Oct 
| foreach 1_* 
    [ rename <<FIELD>> as 1-<<MATCHSTR>>] 
| rename COMMENT as "this is your sample. from here, the logic"    
| eval tmp=mvzip(Field1,mvzip(Field2,Country)) 
| fields - F* Country 
| untable tmp Month Value 
| rex field=tmp "(?<Field1>[^,]+),(?<Field2>[^,]+),(?<Country>.*)" 
| fields - tmp 
| eval Month=strptime(Month."2019","%d-%b%Y") 
| table Field* Country Month Value 
| fieldformat Month=strftime(Month,"%d-%b") 
| sort Field1 Month

mvexpand or tranpose is not need.

0 Karma
Reply
Solved! Jump to solution

ChioNeng
Explorer
‎08-16-2020 10:34 PM

thanks a lot @to4kawa 🙂 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...