Splunk Search

Is it possible to turn a multivalued field with an arbitrary number of elements into columns?

responsys_cm
Builder

I have a search that generates two fields -- host and application. Application is a multivalued field with varying numbers of results. Assume the field is comma delimited in the example below. It looks something like:

host application

server1 splunk,apache,named

server2 apache,tomcat

I would like to convert it into the following column format:

host application1 application2 application3 application4...
server1 splunk apache named
server2 apache tomcat

I know I can use eval and mvindex to manually create each column name and then transpose them, but without some kind of for loop, I would have to create a search with the eval statements up to the maximum mvindex value I expect to see.

Is there any way to do this without having to manually create each new column name?

Thx.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?<type>\w+)#(?<application>.*)" | chart values(application) over host by type limit=0

View solution in original post

pretzel2
Path Finder

Awesome search!     Thank you VERY much. 

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your current search giving host, application | eval temp=mvrange(1,mvcount(application)+1) | rex field=temp mode=sed "s/(\d+)/application\1/g" | eval temp=mvzip(temp,application,"#") | mvexpand temp | table host temp | rex field=temp "(?<type>\w+)#(?<application>.*)" | chart values(application) over host by type limit=0

_jgpm_
Communicator

Very powerful transaction. This should be a native command.

0 Karma

responsys_cm
Builder

Let no one ever say you aren't a Splunk ninja. Thank you so much!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...