Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

split columns with multiple values and make into row

surekhasplunk
Communicator
‎10-10-2019 08:40 AM

Hi,

I have a query output which have many fields out of which only 2 fields have more than one values.
So when those fields have more than 1 value i want them to make new row entry with other field values remaining same. 

index=assets [|inputlookup abc.csv | search "Infrastrucure Name"="*" AND teamInCharge="*" AND type="*"| fields + Nom | rename Nom as name]   | search result="*" AND ruleName="*" | table name  "mgmtAddress.ip" ruleName  policyName  result status | rename "mgmtAddress.ip"  as ip | eval name=upper(name)| lookup abc.csv  Nom as name output "Infrastrucure Name" "teamInCharge"

Output is as shown in the imagealt text

I want now 2 different rows as there are 2 Infrastructure names.

Please help.

Tags (2)
Preview file
18 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2019 09:01 AM

Hi surekhasplunk,
did you tried with mvexpand command?

 index=assets [|inputlookup abc.csv | search "Infrastrucure Name"="*" AND teamInCharge="*" AND type="*"| fields + Nom | rename Nom as name]   result="*" AND ruleName="*" 
| table name  "mgmtAddress.ip" ruleName  policyName  result status 
| rename "mgmtAddress.ip"  as ip 
| eval name=upper(name)
| lookup abc.csv  Nom as name OUTPUT "Infrastrucure Name" "teamInCharge"
| mvexpand "Infrastrucure Name"

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2019 09:01 AM

Hi surekhasplunk,
did you tried with mvexpand command?

 index=assets [|inputlookup abc.csv | search "Infrastrucure Name"="*" AND teamInCharge="*" AND type="*"| fields + Nom | rename Nom as name]   result="*" AND ruleName="*" 
| table name  "mgmtAddress.ip" ruleName  policyName  result status 
| rename "mgmtAddress.ip"  as ip 
| eval name=upper(name)
| lookup abc.csv  Nom as name OUTPUT "Infrastrucure Name" "teamInCharge"
| mvexpand "Infrastrucure Name"

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎10-14-2019 03:31 AM

Hi @gcusello,

I have few more cases where i have the field "Infrastructure Name" look like this "FRA-DMZ APP|FRA-DMZ STANDARD MARKET ACCESS|FRA-WEBCELL GBIS" . They are separated by pipe symbol . Now how to split them into different rows ?

Please help.

thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-14-2019 04:00 AM

Hi surekhasplunk,
To split a multivalue field in many row, you can use the mvexpand command (see https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Mvexpand ).
To create a multivalue field from a list of values divided by a separator (like your example) you can use the makemv command (see https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Makemv ).
You can use this command separately (as your first request) or together (like this last request).

E.g., you could use makemv to create multivalue field and then use mvexpand to split in different events, this only an example:

| makeresults 
| eval my_field="FRA-DMZ APP|FRA-DMZ STANDARD MARKET ACCESS|FRA-WEBCELL GBIS"
| makemv delim="|" my_field
| mvexpand my_field

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...