Hi,
I am trying to re-organize my table, by moving some fields to become columns rather than rows, but also keeping some to be rows.
This is what I have:
_time........................field1....field2 ......99th_perc......avg
08/02/2015 0:00.......A............Y..............903..............342
08/02/2015 0:00.......B............ Z..............2131..............676
08/02/2015 0:00.......C............Y..............604..............319
08/02/2015 0:00.......D............Z..............1433..............190
08/03/2015 0:00.......A............Y..............1197 ..............200
08/03/2015 0:00.......B............Z..............1038..............160
08/03/2015 0:00.......C............Y..............419..............146
08/03/2015 0:00.......D............Z..............327..............234
This is what I want:
.....................................Y..........................................................Z
...................................A...........................C............................B...........................D
...................................99th_perc.....avg...99th_perc...avg...99th_perc...avg...99th_perc..... avg
08/02/2015 0:00........903................342.........604.......319....2131...........676....1433............190
08/03/2015 0:00........1197..............200......... 419.......146....1038...........160....327............234
How to I turn field 1 and field 2 into columns while keeping time as a row?
Thanks in advance
Something like this should do, append to your search building the first table:
... | eval {field1}_{field2}_99th_perc = 99th_perc | eval {field1}_{field2}_avg = avg | stats values(*_*_*) as *_*_* by _time
Note, Splunk doesn't really do multi-layered columns, so this is a bit ugly.
Something like this should do, append to your search building the first table:
... | eval {field1}_{field2}_99th_perc = 99th_perc | eval {field1}_{field2}_avg = avg | stats values(*_*_*) as *_*_* by _time
Note, Splunk doesn't really do multi-layered columns, so this is a bit ugly.
Thank you! This worked very well.