Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What data transform approach should I use with thi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ChioNeng
Explorer
08-13-2020
08:24 AM
Im kinda newbie here in splunk. Whats the difference between multivalue and transpose command? how can i convert this input to this desired output? (see tables below) Is Multivalue or transpose command can manage this?
For a newbie like me those commands is kinda tricky. Many thanks in advance
For a newbie like me those commands is kinda tricky. Many thanks in advance
input:
| Field1 | Field2 | Country | 1-Jun | 1-Jul | 1-Aug | 1-Sep | 1-Oct |
| X | AB | Thailand | 23 | 2343 | 31 | 1 | 1 |
| Y | CD | Singapore | 2 | 321 | 2 | 52 | 22 |
| Z | EF | Philippines | 31 | 56 | 43 | 84 | 23 |
output:
| Field1 | Field2 | Country | Month | Value |
| X | AB | Thailand | 1-Jun | 23 |
| X | AB | Thailand | 1-Jul | 2343 |
| X | AB | Thailand | 1-Aug | 31 |
| X | AB | Thailand | 1-Sep | 1 |
| X | AB | Thailand | 1-Oct | 1 |
| Y | CD | Singapore | 1-Jun | 2 |
| Y | CD | Singapore | 1-Jul | 321 |
| Y | CD | Singapore | 1-Aug | 2 |
| Y | CD | Singapore | 1-Sep | 52 |
| Y | CD | Singapore | 1-Oct | 22 |
| Z | EF | Philippines | 1-Jun | 31 |
| Z | EF | Philippines | 1-Jul | 56 |
| Z | EF | Philippines | 1-Aug | 43 |
| Z | EF | Philippines | 1-Sep | 84 |
| Z | EF | Philippines | 1-Oct | 23 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
08-13-2020
07:34 PM
| makeresults
| eval _raw="Field1 Field2 Country 1_Jun 1_Jul 1_Aug 1_Sep 1_Oct
X AB Thailand 23 2343 31 1 1
Y CD Singapore 2 321 2 52 22
Z EF Philippines 31 56 43 84 23"
| multikv
| table Field1 Field2 Country 1_Jun 1_Jul 1_Aug 1_Sep 1_Oct
| foreach 1_*
[ rename <<FIELD>> as 1-<<MATCHSTR>>]
| rename COMMENT as "this is your sample. from here, the logic"
| eval tmp=mvzip(Field1,mvzip(Field2,Country))
| fields - F* Country
| untable tmp Month Value
| rex field=tmp "(?<Field1>[^,]+),(?<Field2>[^,]+),(?<Country>.*)"
| fields - tmp
| eval Month=strptime(Month."2019","%d-%b%Y")
| table Field* Country Month Value
| fieldformat Month=strftime(Month,"%d-%b")
| sort Field1 Monthmvexpand or tranpose is not need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
08-13-2020
07:34 PM
| makeresults
| eval _raw="Field1 Field2 Country 1_Jun 1_Jul 1_Aug 1_Sep 1_Oct
X AB Thailand 23 2343 31 1 1
Y CD Singapore 2 321 2 52 22
Z EF Philippines 31 56 43 84 23"
| multikv
| table Field1 Field2 Country 1_Jun 1_Jul 1_Aug 1_Sep 1_Oct
| foreach 1_*
[ rename <<FIELD>> as 1-<<MATCHSTR>>]
| rename COMMENT as "this is your sample. from here, the logic"
| eval tmp=mvzip(Field1,mvzip(Field2,Country))
| fields - F* Country
| untable tmp Month Value
| rex field=tmp "(?<Field1>[^,]+),(?<Field2>[^,]+),(?<Country>.*)"
| fields - tmp
| eval Month=strptime(Month."2019","%d-%b%Y")
| table Field* Country Month Value
| fieldformat Month=strftime(Month,"%d-%b")
| sort Field1 Monthmvexpand or tranpose is not need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ChioNeng
Explorer
08-16-2020
10:34 PM
thanks a lot @to4kawa 🙂
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
