Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Javascript SDK: Is it possible to include column headings as a row in the chart array?

bk028s
Path Finder
‎01-26-2017 08:40 AM

Hi all,

I'm currently working with the Splunk SDK for JavaScript and I am having some difficulties formatting the data from queries. I have a search that looks like this:

* | chart count by _time my_field limit=0 usenull=f useother=f

Which in Splunk looks something like this:

_time                  A    B   C   D
2017-01-26 10:18:42 2   4   8   0
2017-01-26 10:18:43 0   7   6   3
2017-01-26 10:18:44 4   9   5   2
2017-01-26 10:18:46 7   0   5   0

But when I get the results from running the query through the JavaScript SDK, the array I get is basically this:

2017-01-26 10:18:42 2   4   8   0
2017-01-26 10:18:43 0   7   6   3
2017-01-26 10:18:44 4   9   5   2
2017-01-26 10:18:46 7   0   5   0

(without the headers)

Is there an easy way to include the column headers in the array I get in JavaScript?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bk028s
Path Finder
‎01-26-2017 11:13 AM

I'm going to post what I'm using as a kind of work-around right now, but I also want to leave this question open in the hopes that someone smarter or more well-versed in Splunking will provide a cleaner solution.

I've done this:

* | eval time=strftime(_time, "%a, %d %b %Y %H:%M:%S") | chart count by my_field time limit=0 usenull=f useother=f | transpose 0

The time formatting is irrelevant to the actual workaround, which is just to switch my_field and _time in the chart and then transpose the result.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bk028s
Path Finder
‎01-26-2017 11:13 AM

I'm going to post what I'm using as a kind of work-around right now, but I also want to leave this question open in the hopes that someone smarter or more well-versed in Splunking will provide a cleaner solution.

I've done this:

* | eval time=strftime(_time, "%a, %d %b %Y %H:%M:%S") | chart count by my_field time limit=0 usenull=f useother=f | transpose 0

The time formatting is irrelevant to the actual workaround, which is just to switch my_field and _time in the chart and then transpose the result.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...