Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transpose CSV column headers to row

test365498
Path Finder
‎07-25-2016 09:04 AM

Hello,

Is Splunk able to, before or after indexing, transpose column and rows in this way:
original file: has column headers
need format: each column header to be appended into a column such that each header is repeated as a row corresponding to a value.

Please see the initial and final screen shot attached. Thank you.

alt text

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎07-27-2016 04:39 PM

Just add this:

... | table percentiles login logout search_result | untable percentiles TYPE duration
0 Karma
Reply

sundareshr
Legend
‎07-25-2016 10:54 AM

How about this

.... | stats first(*) as * by type percentile
0 Karma
Reply

test365498
Path Finder
‎07-25-2016 11:19 AM

Hm, did not seem to produce any results.

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 09:58 AM

This should do it

your base search | untable percentile type value | table type percentile value

See more on untable command here. http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Untable

Reply

test365498
Path Finder
‎07-25-2016 10:35 AM

I need to untable multiple columns, and have the "type" duplicated and corresponding to each value. Leave the percentile however, but in this case the value would need to be duplicated to correspond to each set of "type." Does that make sense?

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 11:25 AM

Not sure I get it completely. If you're desired out is what you need, then give this a try

your base search | untable percentile type value | sort 0 type percentile value | table type percentile value
0 Karma
Reply

test365498
Path Finder
‎07-25-2016 12:11 PM

This is getting closer.
Let me try one more time.

Sample original file:
percentile login logout search_result
1 686 13332 13128
2 687 13333 13129
4 686 13340 13127
8 688 13330 13128
9 690 13331 13126

Desired result after transpose:
type percentile value
login 1 686

login 2 687

login 4 686

login 8 688

login 9 690

logout 1 13332

logout 2 13333

logout 4 13340

logout 8 13330

logout 9 13331

search_result 1 13128
search_result 2 13129
search_result 4 13127
search_result 8 13128
search_result 9 13126

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2016 12:58 PM

I tested with your new sample data and the query returns the desired result.

0 Karma
Reply

JDukeSplunk
Builder
‎07-25-2016 09:42 AM

I know splunk can transpose, but from my experience you have to mess with the column/row names a bit to get it pretty. 

base search | transpose 5

There are some examples here it the documentation.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpose

Reply

test365498
Path Finder
‎07-25-2016 10:43 AM

This does not look correct on my end. I need to append all of the headers are rows with corresponding values (of which there are multiple values, for the "type" would be duplicated).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...