Splunk Search

help with table column transformation needed

damucka
Builder

Hello,

I need to transform the table I have from:

_time  avg1  avg2  avg3
t1      v11   v21   v31 
t2      v12   v22   v32 
t3      v13   v23   v33

into

_time   KPI   VALUE 
t1      avg1    v11    
t2      avg1    v12    
t3      avg1    v13
t1      avg2    v21    
t2      avg2    v22    
t3      avg2    v23   
t1      avg3    v31    
t2      avg3    v32    
t3      avg3    v33 

I need this format to create a punchcard visualization out of it later.

How would I achieve this?

Kind regards,
Kamil

Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@damucka

Can you please try this?

YOUR_SEARCH |eval KPI="" | foreach avg* [eval KPI=KPI.","."<<FIELD>>"] | eval KPI=split(KPI,",") | mvexpand KPI | where KPI!="" | eval VALUE=case(KPI="avg1",avg1,KPI="avg2",avg2,KPI="avg3",avg3) | table time KPI VALUE

Sample Search:

| makeresults 
| eval _raw=" _time  avg1  avg2  avg3
 t1      v11   v21   v31 
 t2      v12   v22   v32 
 t3      v13   v23   v33" | multikv forceheader=1 | table time avg1 avg2 avg3 |eval KPI="" | foreach avg* [eval KPI=KPI.","."<<FIELD>>"] | eval KPI=split(KPI,",") | mvexpand KPI | where KPI!="" | eval VALUE=case(KPI="avg1",avg1,KPI="avg2",avg2,KPI="avg3",avg3) | table time KPI VALUE

Thanks

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@damucka

Can you please try this?

YOUR_SEARCH |eval KPI="" | foreach avg* [eval KPI=KPI.","."<<FIELD>>"] | eval KPI=split(KPI,",") | mvexpand KPI | where KPI!="" | eval VALUE=case(KPI="avg1",avg1,KPI="avg2",avg2,KPI="avg3",avg3) | table time KPI VALUE

Sample Search:

| makeresults 
| eval _raw=" _time  avg1  avg2  avg3
 t1      v11   v21   v31 
 t2      v12   v22   v32 
 t3      v13   v23   v33" | multikv forceheader=1 | table time avg1 avg2 avg3 |eval KPI="" | foreach avg* [eval KPI=KPI.","."<<FIELD>>"] | eval KPI=split(KPI,",") | mvexpand KPI | where KPI!="" | eval VALUE=case(KPI="avg1",avg1,KPI="avg2",avg2,KPI="avg3",avg3) | table time KPI VALUE

Thanks

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...