Re: how can i change column values to field names

kirrusk · ‎12-03-2020

i'm trying to convert values in column to fields names, But not able to achieve.

table is like

ENV LABEL APP

PR1 labelp1 APP1

PR1 labelp11 APP2

PR2 labelp2 APP1

PR2 labelp22 APP2

i'm trying to achieve

PR1 PR2 APP

labelp1 labelp2 APP1

labelp11 labelp22 APP2

Can any one help on this

mdorobek · ‎12-03-2020

Hello,

this might be a quick and dirty solution but it should work:

regards,
mdorobek

kirrusk · ‎12-03-2020

@mdorobek have updated question pls suggest on this

mdorobek · ‎12-03-2020

Hello,

heres the solution after the update:

...
| eval _raw=ENV+"="+LABEL
| extract
| stats values(PR1) as PR1 values(PR2) as PR2 by APP

However, this might need some further steps if you have multiple combinations of PR2/PR1 and App.
If it doesnt solve your requirements a little more context would help to find the correct solution.

Heres a possible solution, but you have to be aware, that this depends on the arrangement of your data and might not give correct results if you have another arrangement.

| eval _raw=ENV+"="+LABEL
| extract
| stats values(PR1) as PR1 values(PR2) as PR2 by APP
| eval combined=mvzip(PR1,PR2,"|")
| fields - PR1, PR2
| mvexpand combined
| eval PR1=mvindex(split(combined,"|"),0)
| eval PR2=mvindex(split(combined,"|"),1)
| fields - combined

regards,
mdorobek

kirrusk · ‎12-03-2020

@mdorobek not working as expected , it is giving column like

App PR1 PR2

App1 label11 label2

label12 label21

.. ..

App2 labell1 label2

label11 label22

mdorobek · ‎12-04-2020

Thats exactly what I meant with "However, this might need some further steps if you have multiple combinations of PR2/PR1 and App. " I updated the answer.

how can i change column values to field names

chart

eval

fields

join

lookup

rex

subsearch

table

timechart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!