Solved: Transposing a table with _time as header and group...

dojiepreji · ‎10-14-2019

Hello all,

I currently have a search that produces the following output:

This is the result of multiple append and join columns.

I would like to transpose the table to this:

I've tried to use | transpose, but I simply couldn't get it to appear the way I want it. The whole data for Level 1 disappears.

Can anybody please point me in the right direction?

Sukisen1981 · ‎10-14-2019

try this

|eval {_time}=performance|fields - time,- performance|stats values(20*) by critname|rename values(* as ""* , *) as *""

you can also refer to my eaelier answer here on something similar if this does not give you the exact output - https://answers.splunk.com/answers/769617/how-to-extract-values-from-field-and-use-it-as-col.html#an...

gcusello · ‎10-14-2019

Hi dojiepreji,
did yu checked the possibility to use chart command?
something like this

| index=my_index
| bin span=1y _time
| chart count over critName BY _time

Ciao.
Giuseppe

Sukisen1981 · ‎10-14-2019

try this

|eval {_time}=performance|fields - time,- performance|stats values(20*) by critname|rename values(* as ""* , *) as *""

you can also refer to my eaelier answer here on something similar if this does not give you the exact output - https://answers.splunk.com/answers/769617/how-to-extract-values-from-field-and-use-it-as-col.html#an...

Transposing a table with _time as header and grouping the results