×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
angliu
Engager
Member since: ‎03-01-2017
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-01-2017
Activity Feed
Topics I've Started
View All

Re: Unpivot multi-value fields

by in Splunk Dev
‎03-02-2017 11:48 AM
‎03-02-2017 11:48 AM
Wow. You're the best. Thank you so much. If it works, it works! At least it gets me much further down the path... thanks again! ... View more

Unpivot multi-value fields

by in Splunk Dev
‎03-01-2017 04:04 PM
‎03-01-2017 04:04 PM
I am working with some email header data, starting with generating some multi-value fields and now get to this point... index=teed sourcetype="emaildata" | eval max_date_sent= max(DateTimeSent) | dedup message_id, max_date_sent |table FromEmailAddress, Subject, DateTimeSent, ToRecipient, CcRecipient, BccRecipient | where FromEmailAddress != "" but what I really want is to examine the individual relationship, so the final output will like this... I've tried this index=cms sourcetype="exchangeemails" | eval max_date_sent= max(DateTimeSent) | dedup InternetMessageID, max_date_sent | eval tocc=mvzip(ToRecipients,CcRecipients) | eval receivers=mvzip(tocc,CcRecipients) | mvexpand receivers | makemv delim="," receivers | table FromEmailAddress, receivers but this returns some duplicated records for the receivers, and cannot distinguish if the receiver was originally a to/cc/bcc. Can someone point direction? Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All