Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change how my table results are displayed by interchanging the rows and columns?

SridharS
Path Finder
‎09-16-2015 01:05 PM

Hi,

I have a search based on date. 

  ...search ... earliest=-d@d latest=now | table _time, host, app_version, RAM_size

This search actually displays the app_version, RAM_size of a server yesterday and today in a table like below:

_time                 host       app_version   RAM_size
2015-09-15 11:48:42   server1       2.0.1          6
2015-09-16 11:48:42   server1       2.0.2          5

i.e today the version has been upgraded in that server and the app_version, RAM_size has been changed.

Is there a way to display the results in row as I expect below?

host            server1                 server1                                  
_time           2015-09-15 11:48:42     2015-09-16 11:48:42
app_version     2.0.1                   2.0.2
RAM_size        6                       5

i.e interchanging row and column.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-16-2015 02:38 PM

You can do something like this

your current search giving fields _time host app_version RAM_size | untable _time Metrics Value | eval Date=strftime(_time,"%y-%m-%d %H:%M:%S") | chart first(Value) over Metrics by Date limit=0

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-16-2015 02:38 PM

You can do something like this

your current search giving fields _time host app_version RAM_size | untable _time Metrics Value | eval Date=strftime(_time,"%y-%m-%d %H:%M:%S") | chart first(Value) over Metrics by Date limit=0
Reply
Solved! Jump to solution

SridharS
Path Finder
‎09-17-2015 08:17 AM

Hi I met a difficult situation here. when I run my search query i was able to see both data from yesterday and today. But when I run it as a dashboard I am able to see only yesterday's data but not today's. Meanwhile

* your current search giving fields _time host app_version RAM_size | untable _time Metrics Value | eval Date=strftime(_time,"%y-%m-%d %H:%M:%S") | chart first(Value) over Metrics by Date limit=0*

this command helps me to sort still I have something to be modified.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-17-2015 08:52 AM

What is the timerange the search is running in your dashboard??

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-16-2015 02:33 PM

You need the transpose command like this:

...search query... earliest=-d@d latest=now | table _time, host, app_version, RAM_size | transpose
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...