Re: reformatting output in table

secure · ‎03-20-2025

Hi everyone

i have a dataset

| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time

i want the final output to be like below

APP1	hostname1	hostnames2
appdelta	syzhost.domain1	syzhost.domain1
appdelta	abchost.domain1	abchost.domain1
appdelta	egfhost.domain1

any suggestions

yuanliu · ‎03-24-2025

You need to describe the logic from the input to the desired output. There are at least two possible ways to match hostname1 and hostname2:

Match by position. This is the route @ITWhisperer takes.
Match by hostname.

If the requirement is to match by name, this is one way to do it.

| foreach hostname1 hostname2
    [eval matchhost = if(isnull(matchhost) OR mvcount(<<FIELD>>) > mvcount(matchhost), <<FIELD>>, matchhost)]
| mvexpand matchhost
| foreach hostname1 hostname2
    [eval <<FIELD>> = mvindex(<<FIELD>>, mvfind(<<FIELD>>, matchhost))]
| fields - matchhost

ITWhisperer · ‎03-20-2025

| eval row=mvrange(0,max(mvcount(hostname1), mvcount(hostname2)))
| mvexpand row
| eval hostname1=mvindex(hostname1,row)
| eval hostname2=mvindex(hostname2,row)
| fields - row

reformatting output in table

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation