Splunk Search

Transpose function is split multivalue to singlevalue of space delimiter

kbluech
Engager

Hi.
I am found that Transpose function is split multivalue to singlevalue of space delimiter.

< table >

AAA

BBB

CCC

< table | transpose >

AAA BBB CCC

Can I remain my multivalue?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could work around the issue like this:

| stats count | eval value = "foo" | eval multivalue = "foo bar" | makemv multivalue
    | foreach * [eval <<FIELD>> = mvjoin(<<FIELD>>, "#####")] | transpose | foreach row* [makemv "<<FIELD>>" delim="#####"]

First I create a dummy event with an mv field multivalue, that's where your transpose command would be. Now I use foreach to turn every mv field into a regular field, using a delimiter that may not exist elsewhere... do the transpose, and turn each row back into a mv field based on that delimiter.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could work around the issue like this:

| stats count | eval value = "foo" | eval multivalue = "foo bar" | makemv multivalue
    | foreach * [eval <<FIELD>> = mvjoin(<<FIELD>>, "#####")] | transpose | foreach row* [makemv "<<FIELD>>" delim="#####"]

First I create a dummy event with an mv field multivalue, that's where your transpose command would be. Now I use foreach to turn every mv field into a regular field, using a delimiter that may not exist elsewhere... do the transpose, and turn each row back into a mv field based on that delimiter.

kbluech
Engager

Yes, It works.
Additionally, before the transposed multivalue that use head 1|table |transpose|makemv delim=" " "row 1". It's not working, but i was use head 1|chat list() over _time|transpose|makemv delim=" " "row 1".
Thank you martin.^^

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Well, the key reason for using foreach here is that you don't need to care about what fields actually are mv fields and how many rows you get after the transpose.

If you do know these things you could replace the foreach with one eval per mv field before the transpose and one makemv per transposed row X field after the transpose.

0 Karma

somesoni2
Revered Legend

Works perfectly fine with Splunk 6.x. Can we achieve the same in Splunk 5.0.5 version (foreach command is not available)?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...