https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-time-showing-in-the-horizontal/m-p/93925#M24176 <P>Easiest way to switch the direction of the table is to use <CODE>transpose</CODE>. Just throw "<CODE>| transpose</CODE>" at the end of your search. However this might not give you exactly the result you want as the time will be output as epoch values, and will not be in the headers.</P> <P>Another way is to skip <CODE>timechart</CODE> and use the regular <CODE>chart</CODE> command instead, and have it chart over a time field that has been discretized in some way. For instance you can use <CODE>bucket</CODE> (which is what <CODE>timechart</CODE> does automatically for you) and create a field that contains the time in a format that is somewhat easier on the eyes than staring at an epoch value. This will give you the same kind of results as using <CODE>timechart</CODE> with a span of 1 hour.</P> <PRE><CODE>... | bucket span=1h _time | eval formatted_time=strftime(_time, "%c") | chart count over msg by formatted_time </CODE></PRE> <P>Or you could use one of the time fields that are likely already in your log events, such as <CODE>date_hour</CODE>. </P> <PRE><CODE>... | chart count over msg by date_hour </CODE></PRE> <P>The only caveat with both of these examples is that if you're going to chart over several days you will need to take that into account, for instance by concatenating the <CODE>date_mday</CODE> value with <CODE>date_hour</CODE>, or using another <CODE>strftime</CODE> format string.</P> <P>As for your 2nd question, yes, you can filter the chart to get only times with at least a certain number but it's somewhat more complex when splitting the stats by fields rather than using just one. Have a look at this answer which describes this in more detail: <A href="http://splunk-base.splunk.com/answers/12577/filter-a-chart">http://splunk-base.splunk.com/answers/12577/filter-a-chart</A></P> Tue, 18 Oct 2011 20:50:01 GMT Ayn 2011-10-18T20:50:01Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-time-showing-in-the-horizontal/m-p/93924#M24175 <P>I tried the following:</P> <P>host=A earliest=10/01/2011:0:0:0 latest=10/01/2011:11:0:0 | timechart span=1h count by msg</P> <P>Where "msg" is a customerized field. It did output the contents I wanted. But I would like the output table to have the time in the horizontal direction, and the "msg" values (many) in the vertical direction rather than the other way around in the current output. How could I achieve that?</P> <P>The 2nd questions: Can I only show those "msg"s whose counts are more than 10 over the entire span (from earliest to latest)?</P> Tue, 18 Oct 2011 19:31:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-time-showing-in-the-horizontal/m-p/93924#M24175 myli12 2011-10-18T19:31:02Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-time-showing-in-the-horizontal/m-p/93925#M24176 <P>Easiest way to switch the direction of the table is to use <CODE>transpose</CODE>. Just throw "<CODE>| transpose</CODE>" at the end of your search. However this might not give you exactly the result you want as the time will be output as epoch values, and will not be in the headers.</P> <P>Another way is to skip <CODE>timechart</CODE> and use the regular <CODE>chart</CODE> command instead, and have it chart over a time field that has been discretized in some way. For instance you can use <CODE>bucket</CODE> (which is what <CODE>timechart</CODE> does automatically for you) and create a field that contains the time in a format that is somewhat easier on the eyes than staring at an epoch value. This will give you the same kind of results as using <CODE>timechart</CODE> with a span of 1 hour.</P> <PRE><CODE>... | bucket span=1h _time | eval formatted_time=strftime(_time, "%c") | chart count over msg by formatted_time </CODE></PRE> <P>Or you could use one of the time fields that are likely already in your log events, such as <CODE>date_hour</CODE>. </P> <PRE><CODE>... | chart count over msg by date_hour </CODE></PRE> <P>The only caveat with both of these examples is that if you're going to chart over several days you will need to take that into account, for instance by concatenating the <CODE>date_mday</CODE> value with <CODE>date_hour</CODE>, or using another <CODE>strftime</CODE> format string.</P> <P>As for your 2nd question, yes, you can filter the chart to get only times with at least a certain number but it's somewhat more complex when splitting the stats by fields rather than using just one. Have a look at this answer which describes this in more detail: <A href="http://splunk-base.splunk.com/answers/12577/filter-a-chart">http://splunk-base.splunk.com/answers/12577/filter-a-chart</A></P> Tue, 18 Oct 2011 20:50:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-with-time-showing-in-the-horizontal/m-p/93925#M24176 Ayn 2011-10-18T20:50:01Z