I have a search that generates two fields -- host and application. Application is a multivalued field with varying numbers of results. Assume the field is comma delimited in the example below. It looks something like:
host application
server1 splunk,apache,named
server2 apache,tomcat
I would like to convert it into the following column format:
host application1 application2 application3 application4...
server1 splunk apache named
server2 apache tomcat
I know I can use eval and mvindex to manually create each column name and then transpose them, but without some kind of for loop, I would have to create a search with the eval statements up to the maximum mvindex value I expect to see.
Is there any way to do this without having to manually create each new column name?
Thx.
Try something like this
your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?<type>\w+)#(?<application>.*)" | chart values(application) over host by type limit=0
Awesome search! Thank you VERY much.
Try something like this
your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?<type>\w+)#(?<application>.*)" | chart values(application) over host by type limit=0
Very powerful transaction. This should be a native command.
Let no one ever say you aren't a Splunk ninja. Thank you so much!