Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to expand multi value fields with different va...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to expand multi value fields with different values in column values
Dear Experts,
Please provide a valuable solution for my problem.
I am having the fields from JSON which is having multivalue fields as below. In below example Department field having three values and Projects field having 5 values. I want expand this.
Name | EMP NO | Department | projects
ABCS | 1234567 | CS12345678 | PROJ1
| | AB12345678 | PROJ2
| | AB55555555 | PROJ3
| | | PROJ4
| | | PROJ5
I need output like the below
Name | EMP NO | Department | projects
ABCS | 1234567 | CS12345678 | PROJ1
ABCS | 1234567 | AB12345678 | PROJ2
ABCS | 1234567| AB55555555 | PROJ3
ABCS | 1234567 | NULL | PROJ4
ABCS | 1234567 | NULL | PROJ5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I start with the assumption that you have a single record that has Name="ABCS", EmpNo="1234567", Department= a multivalue field with three values, Projects= a multivalue field with 5 values.
your search here
| table Name EmpNo Department Projects
| streamstats count as recNo
| eval numRecs=If(mvcount(Department)>mvcount(Projects),mvcount(Department),mvcount(Projects)
| eval myFan=mvrange(0,numRecs)
| mvexpand myFan
| eval Department=case(myFan<mvcount(Department),mvindex(Department,myFan),
true(),"NULL")
| eval Projects=case(myFan<mvcount(Department),mvindex(Department,myFan),
true(),"NULL")
Now you have five separate records as requested.
The recNo field is a record number in case you ever want to put them back together again. You can also use it (if desired) for break logic. That could look something like this...
your search here
| table Name EmpNo Department Projects
| streamstats count as recNo
| eval numRecs=If(mvcount(Department)>mvcount(Projects),mvcount(Department),mvcount(Projects)
| eval nextRec=numRecs+1
| eval myFan=mvrange(0,nextRec)
| mvexpand myFan
| eval Department=case(myFan<mvcount(Department),mvindex(Department,myFan),
myFan=numRecs,"",
true(),"NULL")
| eval Projects=case(myFan<mvcount(Department),mvindex(Department,myFan),
myFan=numRecs,"",
true(),"NULL")
| eval Name=case(myFan=numRecs,"",
true(),Name)
| eval EmpNo=case(myFan=numRecs,"",
true(),EmpNo)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do post your json - it might be possible to extract the values correctly right away.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the below question: same scenario
Fall Into Learning with New Splunk Education Courses
Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...
How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes
