https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324846#M5565 <P>@harishyhrk, if your current query is giving your Total_Time, Average and Minimum Columns for two Environments and you need it to be inversed, you should use the <CODE>transpose</CODE> command as the final pipe in your current query i.e.</P> <PRE><CODE> &lt;YourCurrentSearch&gt; | transpose header_field="Environment" column_name="Environment" </CODE></PRE> <P>Following is a run anywhere search based on Splunk's _internal index. (PS: All data/stats is cooked up to generate some chart as per what you currently have).</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4203iB38C308E23804669/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <PRE><CODE>index=_internal sourcetype=splunkd component!="ConfContentsCache" (log_level="WARN" OR log_level="ERROR") | stats sum(date_second) as Total_Time avg(date_second) as Average min(date_second) as Minimum by log_level | replace "ERROR" with "OpenShift" in log_level | replace "WARN" with "Onpremises" in log_level | rename log_level as Environment | transpose header_field=Environment column_name=Environment </CODE></PRE> Wed, 24 Jan 2018 22:03:01 GMT niketn 2018-01-24T22:03:01Z https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324843#M5562 <P>How to mark the fields with a question.</P> Tue, 23 Jan 2018 17:06:24 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324843#M5562 harishyhrk 2018-01-23T17:06:24Z https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324844#M5563 <P>Try with column chart with stacked option (no Trellies)</P> Tue, 23 Jan 2018 19:31:16 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324844#M5563 somesoni2 2018-01-23T19:31:16Z https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324845#M5564 <P>Actually I wanted to say non-stacked option (sorry about that). I create a runanywhere search to generate sample data as yours and use basic column chart for visualization and got this. Does it match what you need?</P> <P>Search:</P> <PRE><CODE>| gentimes start=-1 | eval temp="openpremisis#10.1111#8.2222#2.33333 openshift#12.4444#8.55555#2.66666" | table temp | makemv temp | mvexpand temp | rename temp as _raw | rex "(?&lt;Environment&gt;.+)#(?&lt;Total&gt;.+)#(?&lt;Average&gt;.+)#(?&lt;Minimum&gt;.+)" | table Environment Total Average Minimum </CODE></PRE> <P>Output chart:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4202i7469F4169236340C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 24 Jan 2018 17:45:45 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324845#M5564 somesoni2 2018-01-24T17:45:45Z https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324846#M5565 <P>@harishyhrk, if your current query is giving your Total_Time, Average and Minimum Columns for two Environments and you need it to be inversed, you should use the <CODE>transpose</CODE> command as the final pipe in your current query i.e.</P> <PRE><CODE> &lt;YourCurrentSearch&gt; | transpose header_field="Environment" column_name="Environment" </CODE></PRE> <P>Following is a run anywhere search based on Splunk's _internal index. (PS: All data/stats is cooked up to generate some chart as per what you currently have).</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4203iB38C308E23804669/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <PRE><CODE>index=_internal sourcetype=splunkd component!="ConfContentsCache" (log_level="WARN" OR log_level="ERROR") | stats sum(date_second) as Total_Time avg(date_second) as Average min(date_second) as Minimum by log_level | replace "ERROR" with "OpenShift" in log_level | replace "WARN" with "Onpremises" in log_level | rename log_level as Environment | transpose header_field=Environment column_name=Environment </CODE></PRE> Wed, 24 Jan 2018 22:03:01 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324846#M5565 niketn 2018-01-24T22:03:01Z https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324847#M5566 <P>@harishyhrk, I am not sure if this was intentional, seems like you have wiped off your question with a new one but with only partial information. Requesting you to retain your original question here since answers have been provided with respect to the same. If the issue has been resolved, requesting you to accept the same as well.</P> <P>Also, for a question on different lines, requesting you to post a new question.</P> Fri, 26 Jan 2018 04:45:47 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-question-mark-fields/m-p/324847#M5566 niketn 2018-01-26T04:45:47Z