Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to unbundle a list?

natrixia
Explorer
‎04-29-2011 06:29 PM

I'm aggregating some values via 'chart list(value) as jobs by something' and then later on I want to produce a table that puts every value of 'jobs' into a single row. For example my query is

index=main | fields counter, job | dedup job, counter | chart list(job) as jobs by counter

and my output is something like

---------------------
| counter   | job   |
|-------------------|
| counter1  | job11 |
|           | job12 |
|           | job13 |
| ------------------|
| counter2  | job21 |
|           | job22 |
---------------------

and later on I do the following postprocess:

 search counter="counter2" | table jobs

And I get the following response

---------
| job   |
| ------|
| job21 | (row1)
| job22 |
---------

I would like to get this response:

---------
| job   |
|-------|
| job21 | (row1)
|-------|
| job22 | (row2)
---------

I.e. I would like the resulting table to print every value of the 'jobs' list into a separate row of the table but the above command just gives me one row with all the list's values in it. Is there a way to do something like this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

natrixia
Explorer
‎05-01-2011 04:20 PM

Looks like the command I was looking for was mvexpand so it would be something like:

search counter="counter1" | table jobs | mvexpand jobs

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

natrixia
Explorer
‎05-01-2011 04:20 PM

Looks like the command I was looking for was mvexpand so it would be something like:

search counter="counter1" | table jobs | mvexpand jobs
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-30-2011 12:52 AM

In general, you should avoid the list() function, and just do the original query as:

index=main | stats count by counter, job | fields - count

the fields and dedup are unnecessary and redundant, as chart or stats does that anyway.

Reply
Solved! Jump to solution

natrixia
Explorer
‎05-01-2011 04:18 PM

I wanted to do something like you suggested by I need the deduped values of 'counter' to be put into a dropdown menu.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...