Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rotate a table using transpose, remove the first row, and rename the column headers?

HattrickNZ
Motivator
‎06-03-2015 07:44 PM

i have this search which gives me:
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
which gives me this:

subname2    foo     bar     la
SG  300000  160000  100000
US  300000  160000  60000

If i use transpose with this
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | transpose
I get 

column  row 1   row 2
subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

Now how do I remove the the 1st row of the table "subname2 SG US" and use this as my column headers?

I know I can do this:
...| rename column as subname2 | rename "row 1" as SG | rename "row 2" as US
to rename the column headers.

But how do I remove the first row? And is this the best way of doing this?

Ultimately I want this: 

subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

NOTE: A smilar question has been asked here

Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

View solution in original post

Reply
Solved! Jump to solution

tmurata_splunk
Splunk Employee
Splunk Employee
‎09-08-2018 07:59 AM

I think this is easier.

... 
 | transpose header_field=subname2
 | rename column as subname2
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎04-10-2019 07:57 AM

Right this one easier and quickly too...!! thanks 🙂

0 Karma
Reply
Solved! Jump to solution

ksubramanian198
Engager
‎08-09-2018 06:23 AM

Hi , Please try the below and let me know the result
| stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
| transpose header_field=column
| fields- column

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

Reply
Solved! Jump to solution

bhawkins1
Communicator
‎02-07-2017 09:11 AM

transpose should have an optional parameter over which just does | untable <over> a b | xyseries a <over> b

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎06-03-2015 08:32 PM

tks, I think this is exactly what I am looking for.

transpose was the only way I could think of at the time.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...