Solved: search for multiple value fields to multi column t...

murat_ekren · ‎05-22-2020

title is bit confusing but I have a data like the below

date,assetname,assetIP
2020/05/05 10:00:00,esprbtrapmgr1,195.187.11.144
2020/05/05 10:00:00,nxc-webap2,10.186.36.196
2020/05/05 10:00:00,eytocesxc7p15,10.16.22.186
2020/05/05 10:00:00,eytocesxc7p15,10.16.22.18
2020/05/05 10:00:00,eytocesxc7p15,10.16.26.98
2020/05/05 10:00:00,aktocesxc16p08,10.16.26.21
2020/05/05 10:00:00,aktocesxc16p08,10.16.56.23

and I want a table like
any suggestions ?

assetname| assetIP |assetIP2 |assetIP3    ....
esprbtrapmgr1|195.187.11.144 
eytocesxc7p15 |10.16.22.186|10.16.22.18|10.16.26.98|
aktocesxc16p08|10.16.26.21|10.16.56.23

richgalloway · ‎05-22-2020

This brute-force method works, but only with a fixed number of assetIP values.

| makeresults | eval _raw="assetname      assetIP
esprbtrapmgr1  195.187.11.144
nxc-webap2     10.186.36.196
eytocesxc7p15  10.16.22.186
eytocesxc7p15  10.16.22.18
eytocesxc7p15  10.16.26.98
aktocesxc16p08 10.16.26.21
aktocesxc16p08 10.16.56.23" | multikv forceheader=1
`comment("Above just sets test data")`
| stats values(assetIP) as assetIP by assetname
`comment("mvindex(assetIP, 0) must be last")`
| eval assetIP2=mvindex(assetIP, 1), assetIP3=mvindex(assetIP, 2), assetIP=mvindex(assetIP, 0)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

murat_ekren · ‎06-04-2020

Thanks that worked 🙂

richgalloway · ‎05-22-2020

This brute-force method works, but only with a fixed number of assetIP values.

| makeresults | eval _raw="assetname      assetIP
esprbtrapmgr1  195.187.11.144
nxc-webap2     10.186.36.196
eytocesxc7p15  10.16.22.186
eytocesxc7p15  10.16.22.18
eytocesxc7p15  10.16.26.98
aktocesxc16p08 10.16.26.21
aktocesxc16p08 10.16.56.23" | multikv forceheader=1
`comment("Above just sets test data")`
| stats values(assetIP) as assetIP by assetname
`comment("mvindex(assetIP, 0) must be last")`
| eval assetIP2=mvindex(assetIP, 1), assetIP3=mvindex(assetIP, 2), assetIP=mvindex(assetIP, 0)

---
If this reply helps you, Karma would be appreciated.

search for multiple value fields to multi column table

table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!