Splunk Search

How do I expand rows in a lookup into columns?

ajdyer2000
Path Finder

Hi

Still learning the language. Hopefully this is a simple one.

I have a lookup that displays as

Computer1 user1 user2 user3
Computer2 user1 user 2 user3
Computer 3 user1 user2 user3

I would like it to display

Computer1 user1
Computer1 user2
Computer1 user3
Computer2 user1
Computer2 user2
Computer2 user3
Computer3 user1
Computer3 user2
Computer3 user3

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Found one method (assuming first field in your lookup is host)

| inputlookup yourlookup.csv | untable host fields users | table host users

lguinn2
Legend

Not really that simple, but possible. Assume that the fields containing the user names are called "name1,name2,name3" and that the pipe symbol "|" cannot appear in the user names.

Do this

yoursearch or lookup
| eval User = name1 . "|"  name2 . "|"  name3
|  makemv delim="|" User
| mvexpand User

First this concatenates the user names into a single field delimited by "|". The makemv command turns that field into a multi-valued field. Finally the mvxexpand command makes a separate result for each value of the multi-valued field.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the number of columns fixed?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...