Splunk Search

How to edit my search to group keys as column headers with aggregated values in a single row?

track16
Engager

I have a search:

sourcetype="my_data"| stats count by queue

which aggregates data in a table by the field queue.

It generates a table like this:

queue     | count 
queue_one | 1234
queue_two | 7823

(I've shown two rows in this result, but in practice, the number of rows may vary because I don't know what the aggregated keys will be in advance).

How can I adjust my search so that the table shows aggregated keys as column headers which are also extracted fields, with a single row showing the counts, like this:

queue_one | queue_two 
1234      | 7823

Sorry, Splunk's Markdown page doesn't tell me how to create nicely formatted tables.
https://answers.splunk.com/static/markdown/help.html

0 Karma
1 Solution

sundareshr
Legend

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

View solution in original post

sundareshr
Legend

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

track16
Engager

Thanks @sundareshr!

I'm not supposed to use timechart in my Splunk installation (I believe for performance reasons). My admins tell me to use bucket and stats instead.

Do you know if there is a way to do this with bucket and stats?

0 Karma

sundareshr
Legend

In that case, try this

| stats count by queue | untable queue field count | xyseries field queue count | fields - field

track16
Engager

Works great - thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...