Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I format a table in reverse (field headings by row, not by columns)?

jamesklassen
Path Finder
‎03-23-2011 05:18 PM

I have a number of fields formatted into a table. For example:

results | stats count(results) as Field1, stats count(results) as Field2, stats count(results) as Field3

This will display two rows, with the first being the column headers and the second row the data.

However, I'd like to format the dashboard with two columns. One column for the header, and the other column for the results. So in this example there would be two columns and three rows...rather than three columns and two rows...with the field headers in the first column.

Is this possible?

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎03-23-2011 05:21 PM

Will transpose do what you're looking for?

http://www.splunk.com/base/Documentation/latest/SearchReference/Transpose

To rename the new column headings is a little messy:

| rename column AS foo | rename "row 1" AS bar | rename "row 2" as baz

View solution in original post

Reply
Solved! Jump to solution

clivebeavis
New Member
‎11-23-2013 05:04 PM

Try this after the transpose

| rename column as Properties, "row 1" as "foo", "row 2" as "bar" ....

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎03-23-2011 05:21 PM

Will transpose do what you're looking for?

http://www.splunk.com/base/Documentation/latest/SearchReference/Transpose

To rename the new column headings is a little messy:

| rename column AS foo | rename "row 1" AS bar | rename "row 2" as baz
Reply
Solved! Jump to solution

RiccardoV
Communicator
‎10-29-2014 08:18 AM

after 3 years I found this answer and I love it.

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎04-08-2014 10:27 PM

The column, row 1, row 2, etc are case sensitive with some spaces; so it needs to be as dwaddle said, 

rename "row 1" as bar

Also, I transposed the results of a timechart and needed to add the following to strip out extra fields

search NOT(foo =_time OR foo =_span OR foo =_spandays)
0 Karma
Reply
Solved! Jump to solution

gdspider
New Member
‎06-21-2012 06:12 AM

rename only work for column not for row1 or row2. any idea how i can rename row1 after transpose?

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎03-23-2011 05:45 PM

See update, we aim to please 🙂

0 Karma
Reply
Solved! Jump to solution

jamesklassen
Path Finder
‎03-23-2011 05:35 PM

Exactly what I was looking for! The only problem is it sets the column names as "column" and "row1". Any idea how to set the names?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...