https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417367#M120089 <H1>Update</H1> <P>So with a high cardinality field where timechart won't work you can use a straight stats then xyseries.</P> <P><CODE>index=data | stats count by user, date | xyseries user date count</CODE></P> <HR /> <H1>Previous Answer</H1> <P>Take a look at timechart. It creates this exact set of data but transposed; the fields are in the columns and the times in the rows.</P> Mon, 10 Jun 2019 16:48:44 GMT badarsebard 2019-06-10T16:48:44Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417366#M120088 <P>I want to write a search where the events are in one column and the related counts are in each column corresponding to the date, something like this :</P> <PRE><CODE> 01/01/18 01/02/18 01/03/18 ....... 01/29/18 01/30/18 userid1 3 5 30 8 41 userid2 5 88 10 7 8 userid3 45 78 7 8 2 </CODE></PRE> Mon, 10 Jun 2019 15:41:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417366#M120088 ankurtaunk 2019-06-10T15:41:49Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417367#M120089 <H1>Update</H1> <P>So with a high cardinality field where timechart won't work you can use a straight stats then xyseries.</P> <P><CODE>index=data | stats count by user, date | xyseries user date count</CODE></P> <HR /> <H1>Previous Answer</H1> <P>Take a look at timechart. It creates this exact set of data but transposed; the fields are in the columns and the times in the rows.</P> Mon, 10 Jun 2019 16:48:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417367#M120089 badarsebard 2019-06-10T16:48:44Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417368#M120090 <P>The problem is - there are millions of userID and I do not want them in column. I am good if I have millions of rows than column.</P> Mon, 10 Jun 2019 16:50:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417368#M120090 ankurtaunk 2019-06-10T16:50:54Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417369#M120091 <P>@ankurtaunk try the following run anywhere example to see if it fits your needs</P> <PRE><CODE>index=_internal sourcetype=splunkd log_level!=INFO earliest=-7d@d latest=now | eval Time=strftime(_time,"%Y/%m/%d") | chart count as Error by component Time </CODE></PRE> Mon, 10 Jun 2019 17:03:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417369#M120091 niketn 2019-06-10T17:03:17Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417370#M120092 <P>In that case you'll need xyseries. I'll update answer with example.</P> Mon, 10 Jun 2019 17:12:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417370#M120092 badarsebard 2019-06-10T17:12:41Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417371#M120093 <P>@ankurtaunk<BR /> You can use chart command , try below-</P> <PRE><CODE>&lt;your search&gt;| bin span=1d _time | eval date=strftime(_time,"%Y-%m-%d")| chart count over users by date </CODE></PRE> Mon, 10 Jun 2019 17:13:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417371#M120093 Vijeta 2019-06-10T17:13:50Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417372#M120094 <P>Not all the dates are coming . After 10 days, I see colum with "Others". IS this Splunk's limitation that after certain colum it shows others ?</P> <P>I do not think, there is any issue qith query though. Can anyone please suggest ?</P> Mon, 10 Jun 2019 18:29:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417372#M120094 ankurtaunk 2019-06-10T18:29:06Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417373#M120095 <P>Your query is working fine and giving all the column. Thanks a lot.</P> Mon, 10 Jun 2019 18:43:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417373#M120095 ankurtaunk 2019-06-10T18:43:24Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417374#M120096 <P>@ankurtaunk Yes by default limit for timechart and chart is 10 results. You can use limit=0 option with chart and try</P> <PRE><CODE>&lt;your search&gt;| bin span=1d _time | eval date=strftime(_time,"%Y-%m-%d")| chart count over users by date limit=0 </CODE></PRE> Mon, 10 Jun 2019 18:45:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417374#M120096 Vijeta 2019-06-10T18:45:50Z https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417375#M120097 <P>This works too. Thanks</P> Tue, 11 Jun 2019 20:42:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-table-events-in-columns-with-time-date-related-counts/m-p/417375#M120097 ankurtaunk 2019-06-11T20:42:59Z