I have a number of fields formatted into a table. For example:
results | stats count(results) as Field1, stats count(results) as Field2, stats count(results) as Field3
This will display two rows, with the first being the column headers and the second row the data.
However, I'd like to format the dashboard with two columns. One column for the header, and the other column for the results. So in this example there would be two columns and three rows...rather than three columns and two rows...with the field headers in the first column.
Is this possible?
Will transpose do what you're looking for?
http://www.splunk.com/base/Documentation/latest/SearchReference/Transpose
To rename the new column headings is a little messy:
| rename column AS foo | rename "row 1" AS bar | rename "row 2" as baz
Try this after the transpose
| rename column as Properties, "row 1" as "foo", "row 2" as "bar" ....
Will transpose do what you're looking for?
http://www.splunk.com/base/Documentation/latest/SearchReference/Transpose
To rename the new column headings is a little messy:
| rename column AS foo | rename "row 1" AS bar | rename "row 2" as baz
after 3 years I found this answer and I love it.
The column, row 1, row 2, etc are case sensitive with some spaces; so it needs to be as dwaddle said,
rename "row 1" as bar
Also, I transposed the results of a timechart and needed to add the following to strip out extra fields
search NOT(foo =_time OR foo =_span OR foo =_spandays)
rename only work for column not for row1 or row2. any idea how i can rename row1 after transpose?
See update, we aim to please 🙂
Exactly what I was looking for! The only problem is it sets the column names as "column" and "row1". Any idea how to set the names?