Solved: How can I rename column names after a transpose ba...

rodrigorenie · ‎11-28-2014

Hello Everyone.

I have a search that uses streamstat to create a field called "answer" and "frequency" for each resulting event. Each of these events has another field, called "app", which is the applicaction that generated that event. I also use "dedup" command to get only the last event generated by each application, resulting in something like this:

app=APP1;anwser=123;freq=159
app=APP2;anwser=456;freq=77
app=APP3;anwser=789;freq=44
app=APP4;anwser=112;freq=332

I want to create a simple table that has as columns the name of the application (from the "app" field) and as values (lines) of the table, the answer and the freq, like this:

           APP1     APP2     APP3     APP4
answer     123      456      789      112 
freq       159      77       44       332

What I've done so far is this:

mysearch | table answer,frequency | transpose | 
 rename "row 1" as APP1, "row 2" as APP2,  "row 3" as APP3,  "row 4" as APP4

Which does the trick, but would be perfect if I could rename the automatically created rows by the transpose command with the values of the "app" field.

Is it possible to do that or is there a better way to create such table?

Thanks!

somesoni2 · ‎11-28-2014

Try this

your search with streamstats giving a table with app anwser freq | untable app name value | xyseries name app value

View solution in original post

somesoni2 · ‎11-28-2014

Try this

your search with streamstats giving a table with app anwser freq | untable app name value | xyseries name app value

rodrigorenie · ‎11-28-2014

yeap! Worked perfectly! Didn't know about the untable command, thank you!!

How can I rename column names after a transpose based on a field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life