how to expand multi value fields with different fo...

Rajkumarkbm2 · ‎06-07-2018

Hi ,

I want to expand as erach event for the attached example

kamlesh_vaghela · ‎06-07-2018

Hi @Rajkumarkbm2,

Can you please try following search?

YOUR_SEARCH 
| eval temp = mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(mvzip(hours_target,expectedCycles),threshold),state_Name),
state_type),hours_state_duration),state_reason),state_occurences),state_setupExceeded),state_reasonExceeded),state_color)
| stats count by _time,machine,shift,start,end,temp
| eval hours_target = mvindex(split(temp,","),0), expectedCycles = mvindex(split(temp,","),1), threshold = mvindex(split(temp,","),2), state_Name = mvindex(split(temp,","),3), state_type = mvindex(split(temp,","),4), hours_state_duration = mvindex(split(temp,","),5), state_reason = mvindex(split(temp,","),6), state_occurences = mvindex(split(temp,","),7), state_setupExceeded = mvindex(split(temp,","),8), state_reasonExceeded = mvindex(split(temp,","),9), state_color = mvindex(split(temp,","),10)
| fields - temp

Note: As I have took fields from your attached screen shot, please make sure all fields mentioned in search.

Happy Splunking

adonio · ‎06-07-2018

mvexpand command
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Mvexpand
however it seems like a result of a query, most likely the query / search can be modified to provide your desired result.
can you share your search query?

how to expand multi value fields with different formats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life