Splunk Search

Can I format a table in reverse (field headings by row, not by columns)?

jamesklassen
Path Finder

I have a number of fields formatted into a table. For example:

results | stats count(results) as Field1, stats count(results) as Field2, stats count(results) as Field3

This will display two rows, with the first being the column headers and the second row the data.

However, I'd like to format the dashboard with two columns. One column for the header, and the other column for the results. So in this example there would be two columns and three rows...rather than three columns and two rows...with the field headers in the first column.

Is this possible?

1 Solution

dwaddle
SplunkTrust
SplunkTrust

Will transpose do what you're looking for?

http://www.splunk.com/base/Documentation/latest/SearchReference/Transpose


To rename the new column headings is a little messy:

| rename column AS foo | rename "row 1" AS bar | rename "row 2" as baz

View solution in original post

clivebeavis
New Member

Try this after the transpose

| rename column as Properties, "row 1" as "foo", "row 2" as "bar" ....

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Will transpose do what you're looking for?

http://www.splunk.com/base/Documentation/latest/SearchReference/Transpose


To rename the new column headings is a little messy:

| rename column AS foo | rename "row 1" AS bar | rename "row 2" as baz

RiccardoV
Communicator

after 3 years I found this answer and I love it.

0 Karma

kmugglet
Communicator

The column, row 1, row 2, etc are case sensitive with some spaces; so it needs to be as dwaddle said,

rename "row 1" as bar

Also, I transposed the results of a timechart and needed to add the following to strip out extra fields

search NOT(foo =_time OR foo =_span OR foo =_spandays)
0 Karma

gdspider
New Member

rename only work for column not for row1 or row2. any idea how i can rename row1 after transpose?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

See update, we aim to please 🙂

0 Karma

jamesklassen
Path Finder

Exactly what I was looking for! The only problem is it sets the column names as "column" and "row1". Any idea how to set the names?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...