How do I expand rows in a lookup into columns?

ajdyer2000 · ‎01-13-2016

Hi

Still learning the language. Hopefully this is a simple one.

I have a lookup that displays as

Computer1 user1 user2 user3
Computer2 user1 user 2 user3
Computer 3 user1 user2 user3

I would like it to display

Computer1 user1
Computer1 user2
Computer1 user3
Computer2 user1
Computer2 user2
Computer2 user3
Computer3 user1
Computer3 user2
Computer3 user3

somesoni2 · ‎01-13-2016

Found one method (assuming first field in your lookup is host)

| inputlookup yourlookup.csv | untable host fields users | table host users

lguinn2 · ‎01-13-2016

Not really that simple, but possible. Assume that the fields containing the user names are called "name1,name2,name3" and that the pipe symbol "|" cannot appear in the user names.

Do this

yoursearch or lookup
| eval User = name1 . "|"  name2 . "|"  name3
|  makemv delim="|" User
| mvexpand User

First this concatenates the user names into a single field delimited by "|". The makemv command turns that field into a multi-valued field. Finally the mvxexpand command makes a separate result for each value of the multi-valued field.

somesoni2 · ‎01-13-2016

Is the number of columns fixed?

How do I expand rows in a lookup into columns?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk