Solved: Reformat table so values become Column headings

DanielFordWA · ‎01-15-2016

I have a search that ends with

| stats sum(count) AS Hits by _time GUID cs_uri_stem

Which results in a table

I would like to reformat the table as follows, but have had some difficulty.

Any help much appreciated!

vasanthmss · ‎01-15-2016

Hi DanielFordWA,

Try the below search,

... | stats sum(count) AS Hits by _time GUID cs_uri_stem | eval time=strftime(_time,"%+") | eval temp=time+"##"+GUID| table temp cs_uri_stem Hits | xyseries temp, cs_uri_stem Hits | fillnull | rex field=temp "(?<time>.*)##(?<GUID>.*)" | fields - temp | table time, GUID *

I have combined _time and GUID by "##" named as temp field, used xyseries to format the results as you expect. later extract the time and GUID from temp field.

Hope this will solve your problem.

Thanks,
V

V

View solution in original post

vasanthmss · ‎01-15-2016

Hi DanielFordWA,

Try the below search,

... | stats sum(count) AS Hits by _time GUID cs_uri_stem | eval time=strftime(_time,"%+") | eval temp=time+"##"+GUID| table temp cs_uri_stem Hits | xyseries temp, cs_uri_stem Hits | fillnull | rex field=temp "(?<time>.*)##(?<GUID>.*)" | fields - temp | table time, GUID *

I have combined _time and GUID by "##" named as temp field, used xyseries to format the results as you expect. later extract the time and GUID from temp field.

Hope this will solve your problem.

Thanks,
V

V

Reformat table so values become Column headings

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!