Splunk Search

How to move the row to column

flora123
Path Finder

hello,
i have a log like this:

time,type,field1,field3,field3,field4,field5,......

0102,A,2,3,4,1,3,...

0102,B,2,2,4,1,3,...

i want to show the result like below.

          A B

field1_name 2 2

field2_name 3 2

field3_name 4 4

..........

I tried to use apend, but the search is too long.

... type="A" | eval name="field1_name" | stats values(field1) as ta,values(name) as name | append [search ... type="A" | eval name="field2_name" | stats values(field2) as ta,values(name) as name ]| append [search ... type="A" | eval name="field3_name" | stats values(field3) as ta,values(name) as name ]| append [search ... type="B" | eval name="field1_name" | stats values(field1) as tb,values(name) as name | append [search ... type="B" | eval name="field2_name" | stats values(field2) as tb,values(name) as name ]| append [search ... type="B" | eval name="field3_name" | stats values(field3) as tb,values(name) as name ]| stats values(ta) as A,values(tb) as B by name

I'm looking to see if there more streamlined command.
Thanks a lot.

0 Karma
1 Solution

smolcj
Builder

transpose other fields and rename columns as A,B .
for example
your search |table field1_name field2_name |transpose |rename row1 as A etc...

View solution in original post

flora123
Path Finder

hi smolcj
thank you a lot!

But there is a small problem.
the result will like below.

column row 1 row 2

tpye A B

field1_name 2 2

field2_name 3 2

....

I want the first line to hide
It's possible to reach it?

Thanks a lot again.

0 Karma

smolcj
Builder

great!!! happy splunking flora

0 Karma

flora123
Path Finder

It seems I think too much.
...|search cloumn!="type"
Thank you very much!!!!

0 Karma

smolcj
Builder

you should extract the fields separately and display all the fields except the type field and try transposing the result.. i mean avoid type field in table ..

smolcj
Builder

transpose other fields and rename columns as A,B .
for example
your search |table field1_name field2_name |transpose |rename row1 as A etc...

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...