Solved: How do you remove the first row and get same table...

snallam123 · ‎03-28-2019

My query is

index=_internal source=*metrics.log 
| search series!=_*  group="per_index_thruput"   
| eval GB=kb/(1024*1024)  
| timechart span=1d limit=0 sum(GB) by series
| transpose

I am getting the result

column      row 1               row 2
_time        1553644800       1553731200
index1      0.0000003         0.000002
index2      0.00077             0.00379
index3      0.001077            0.005314

I am looking to replace row 1 and row 2 with days

column   03/28/2019          03/28/2019
   index1     0.0000003         0.000002
index2   0.0007               0.0037
index3   0.00107            0.0053

Can any one help on this?

vnravikumar · ‎03-28-2019

Hi

Give a try

index=_internal source=*metrics.log 
| search series!=_* group="per_index_thruput" 
| eval GB=kb/(1024*1024) 
| timechart span=1d limit=0 sum(GB) by series 
| eval temp=strftime(_time,"%m-%d-%Y") 
| transpose 0 header_field=temp 
| where column!="_time"

View solution in original post

vnravikumar · ‎03-28-2019

Hi

Give a try

index=_internal source=*metrics.log 
| search series!=_* group="per_index_thruput" 
| eval GB=kb/(1024*1024) 
| timechart span=1d limit=0 sum(GB) by series 
| eval temp=strftime(_time,"%m-%d-%Y") 
| transpose 0 header_field=temp 
| where column!="_time"

snallam123 · ‎03-29-2019

Thanks, @vnravikumar , This is exactly what i need.

How do you remove the first row and get same table as it is when used transpose?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life