Splunk Search

Field results as table column headings

Drainy
Champion

A quick example;

Program Name    2.04.0  2.4.3   3.4.24  4.53.5  9
Word            2       1       0       1
Excel           1       2       2       1   
IE              0       0       0       0       1
ETC

The above example was something I produced completely by accident when experimenting with searches to solve a different problem, looking back now I realise that I can actually use this.
What I have done is performed a search on two fields, program_name and program_version. With the resultant data I have managed to construct a table where the version fields found form the headings for each column.
The program name forms each row with a count of how many occurrences of that program name which has the corresponding program version.
Firstly I did try going back through the history but this didn't produce anything of use and I have been since experimenting endlessly with different combinations of stats commands to try and re-produce - any pointers/nudges or help would be appreciated.

1 Solution

Ayn
Legend

The chart command could be used to be achieve this. By giving chart two fields to split the results by, it will output a table like the one you show in your question where the columns are made up from the distinct values of the first field, and the rows are correspondingly made up from the distinct values of the second field. So, using the field names program_name and program_version this will give you the table you want:

<yourbasesearch> | chart count by program_name,program_version

View solution in original post

techytanzy
Explorer

@Drainy 

Its been decade, but if possible can you pls share how did you achieve this - "What I have done is performed a search on two fields, program_name and program_version. With the resultant data I have managed to construct a table where the version fields found form the headings for each column."

I am trying to get same thing- https://community.splunk.com/t5/Splunk-Search/How-to-add-extracted-fields-name-as-first-column-value...

Thanks

0 Karma

Ayn
Legend

The chart command could be used to be achieve this. By giving chart two fields to split the results by, it will output a table like the one you show in your question where the columns are made up from the distinct values of the first field, and the rows are correspondingly made up from the distinct values of the second field. So, using the field names program_name and program_version this will give you the table you want:

<yourbasesearch> | chart count by program_name,program_version
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...