Splunk Search

How to make headers as field-values?

teddyidc1101
Communicator

I have a table that looks like this
Site 1 2 3 4 5 6

In Scope Onsite 3.5 2.44 2.4809851 1.164 2.3125 Local
In Scope Offshore 2 3 0.505 1.136 International

and I want to transform it to like this,

Site Phase effort month
In Scope Onsite Local 2.3125 6
In Scope Onsite Local 3.5 1
In Scope Onsite Local 2.44 2
In Scope Onsite Local 2.4809851 3
In Scope Onsite Local 1.164 4
In Scope Offshore International 2 1
In Scope Offshore International 3 2
In Scope Offshore International 0.505 3
In Scope Offshore International 1.136 4

Please advise. Thanks!

0 Karma
1 Solution

oda
Communicator

Is uptake going well?
I think that it will work with the following.

your search | rename 1 as test1 ,2 as test2,3 as test3 , 4 as test4 , 5 as test5 ,6 as test6 | eval Result=mvappend(test1,test2,test3,test4,test5,test6) | eval effort=mvfilter(match(Result,"\d+")) | mvexpand effort | streamstats count by Site | eval Phase=case(Site=="In Scope Offshore","International",Site=="In Scope Onsite","local") | rename count as month | table Site Phase effort month

View solution in original post

0 Karma

oda
Communicator

Is uptake going well?
I think that it will work with the following.

your search | rename 1 as test1 ,2 as test2,3 as test3 , 4 as test4 , 5 as test5 ,6 as test6 | eval Result=mvappend(test1,test2,test3,test4,test5,test6) | eval effort=mvfilter(match(Result,"\d+")) | mvexpand effort | streamstats count by Site | eval Phase=case(Site=="In Scope Offshore","International",Site=="In Scope Onsite","local") | rename count as month | table Site Phase effort month

0 Karma

teddyidc1101
Communicator

works as expected!

0 Karma

teddyidc1101
Communicator

thank you!

oda
Communicator

thank you for your reply
it is nice!

0 Karma

teddyidc1101
Communicator

hello! i encountered an issue on some of the occurrences while checking the results. the count should corresponds to a month,right? I extended the months to 12, some of them worked but some continued to 13 onwards moving to 60+. is there a way to limit the count per mv field?

0 Karma

oda
Communicator

Can you define the field well?
Sample log and sample fields and
please tell me the expected behavior.

0 Karma

teddyidc1101
Communicator

Sorry for the delayed response but this is working as expected...thanks so much for the help!

0 Karma

oda
Communicator

That's good!
Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...