Had a customer recently ask about to disaggregate a {{Splunk}} search that had aggregated fields because they export to CSV horribly.
Here’s the thing.
You can’t disaggregate aggregated fields.
And there’s a Good Reason™, too: aggregation, by definition, is a one-way street.
You can’t un-average something.
Average is an aggregation function.
So why would you think you could disaggregate any other {{Splunk}} aggregation operation (like values or list)?
You can’t.
And you shouldn’t be able to (as nice as the theoretical use case for it might be).
So what is a body to do when you have a use case for a clean-to-export report that looks as if it had been aggregated, but every field in each row cleanly plunks-out to a single comma-separated value?
Here’s what I did:
{parent search}
| join {some field that'll exist in the subsearch}
[ search {parent search}
| stats {some stats functions here} ]
| fields - {whatever you don't want}
| sort - {fieldname}
What does that end up doing?
The subsearch is identical to the outer search, plus whatever filtering/where/|stats you might want/need to do.
Using the resultant, filtered set, join on a field you know will be unique [enough].
Then sort however you’d like, and remove whatever fields you don’t want in the final display.
Of course, be sure your subsearch will complete in under 60 seconds and/or return fewer than 10,000 lines (unless you’ve modified your {{Splunk}} limits.conf)