I have a search:
sourcetype="my_data"| stats count by queue
which aggregates data in a table by the field queue.
It generates a table like this:
queue | count
queue_one | 1234
queue_two | 7823
(I've shown two rows in this result, but in practice, the number of rows may vary because I don't know what the aggregated keys will be in advance).
How can I adjust my search so that the table shows aggregated keys as column headers which are also extracted fields, with a single row showing the counts, like this:
queue_one | queue_two
1234 | 7823
Sorry, Splunk's Markdown page doesn't tell me how to create nicely formatted tables.
https://answers.splunk.com/static/markdown/help.html
Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time
Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time
Thanks @sundareshr!
I'm not supposed to use timechart
in my Splunk installation (I believe for performance reasons). My admins tell me to use bucket
and stats
instead.
Do you know if there is a way to do this with bucket
and stats
?
In that case, try this
| stats count by queue | untable queue field count | xyseries field queue count | fields - field
Works great - thanks!