https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378956#M111062 <P>Hi Apple143,</P> <P>Would you mind posting this as a new question since it is a separate question?</P> Thu, 14 Jun 2018 03:32:24 GMT jluo_splunk 2018-06-14T03:32:24Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378949#M111055 <P>I have trouble in manipulating the table</P> <P>Date contains (index, name, date).</P> <P>name ..... date ................ count<BR /> a ............ 2018-06-07 ..... 500<BR /> a ............ 2018-06-08 ..... 600<BR /> b ............ 2018-06-07 ..... 700<BR /> b ............ 2018-06-08 ..... 800<BR /> c ............ 2018-06-07 ..... 900<BR /> c ............ 2018-06-08 ..... 1000</P> <P>I want to make this table to below form</P> <P>name ........ day1 ........ day2<BR /> a ............... 500 .......... 600<BR /> b ............... 700 .......... 800<BR /> c ............... 900 .......... 1000</P> <P>or it doesn't matter if I can make below table directly(using tstats)</P> <P>I have to use tstats. I already made an Alert that could show table like second table.<BR /> But, It takes too much time so I want to change search command using tstats</P> <P>And here is the search query that I used when I made first table<BR /> | tstats count where index=* by name, _time span=1d)</P> <P>How can I do?<BR /> Somebody help me please.</P> Fri, 08 Jun 2018 22:53:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378949#M111055 apple143 2018-06-08T22:53:35Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378950#M111056 <P>Hi Apple143, </P> <P>Does this work for you?</P> <PRE><CODE>| tstats count where index=* by name, _time span=1d prestats=true | chart count by name, _time </CODE></PRE> Sat, 09 Jun 2018 00:43:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378950#M111056 jluo_splunk 2018-06-09T00:43:51Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378951#M111057 <P>@jluo, small correction _time needs to be converted from epoch time to Epoch time of format YYYY-MM-DD</P> <PRE><CODE> | tstats count where index=* by name, _time span=1d prestats=true | eval Time=strftime(_time,"%Y/%m/%d") | chart count by name, Time </CODE></PRE> Sat, 09 Jun 2018 15:48:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378951#M111057 niketn 2018-06-09T15:48:01Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378952#M111058 <P>Nice catch, Niketnilay <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> @apple143, if this works for you, can you accept the answer?</P> Sun, 10 Jun 2018 19:31:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378952#M111058 jluo_splunk 2018-06-10T19:31:48Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378953#M111059 <P>It works! Thanks a lot!!</P> Mon, 11 Jun 2018 01:23:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378953#M111059 apple143 2018-06-11T01:23:52Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378954#M111060 <P>I checked it. Your correction makes it easier. Thank you!</P> Mon, 11 Jun 2018 01:24:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378954#M111060 apple143 2018-06-11T01:24:54Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378955#M111061 <P>Can I ask one more?<BR /> What if I want to 1 more field?<BR /> Like..<BR /> A-------xx-------06/07-------100<BR /> A-------xx-------06/08-------200<BR /> A-------yy-------06/07-------300<BR /> A-------yy-------06/08-------400<BR /> B-------xx-------06/07-------500<BR /> B-------xx-------06/08-------600</P> <P>to</P> <P>A-------xx-------100-------200<BR /> A-------yy-------300-------400<BR /> B-------xx-------500-------600</P> Wed, 13 Jun 2018 07:28:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378955#M111061 apple143 2018-06-13T07:28:25Z https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378956#M111062 <P>Hi Apple143,</P> <P>Would you mind posting this as a new question since it is a separate question?</P> Thu, 14 Jun 2018 03:32:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-separate-rows-as-column/m-p/378956#M111062 jluo_splunk 2018-06-14T03:32:24Z