https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127327#M34530 <P>Like this:</P> <PRE><CODE>index="aws-cloudwatch" ("i-2" OR "i-3" OR "i-4" OR "i-5" OR "i-6" OR "i-7" OR "i-8" OR "i-9" OR "i-11" OR "i-12" OR "i-13" OR "i-14" OR "i-15" OR "i-16" OR "i-17" OR "i-18" OR "i-19" OR "i-20" ) (metric_name=MemoryUsed OR metric_name=CPUUtilization OR metric_name=MemoryAvailable) | bin span=5m _time | eval MemoryUsed=if(metric_name="MemoryUsed",Average,0) | eval CPUUtilization=if(metric_name="CPUUtilization,Average,0) | eval MemoryAvailable=if(metric_name='MemoryAvailable',Average/1024,0) | stats avg(MemoryUsed) AS MemoryUsed avg(CPUUtilization) AS CPUUtilization avg(MemoryAvailable) ASMemoryAvailable BY _time, metric_dimensions </CODE></PRE> Thu, 16 Jul 2015 21:22:52 GMT woodcock 2015-07-16T21:22:52Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127325#M34528 <P>Need your help,</P> <P>In the below query, we want to convert metric_name as column with values of avg_average, Can you please help us,</P> <PRE><CODE>(index="aws-cloudwatch" ) ("i-2" OR "i-3" OR "i-4" OR "i-5" OR "i-6" OR "i-7" OR "i-8" OR "i-9" OR "i-11" OR "i-12" OR "i-13" OR "i-14" OR "i-15" OR "i-16" OR "i-17" OR "i-18" OR "i-19" OR "i-20" ) (metric_name=MemoryUsed OR metric_name=CPUUtilization OR metric_name=MemoryAvailable) | bin span=5m _time | eval Average=if(metric_name='MemoryAvailable',Average/1024,Average) | stats avg(Average) as "avg_average" by _time, metric_dimensions,metric_name </CODE></PRE> <P>from </P> <P>_time, metric_dimensions,metric_name, avg_average</P> <P>to</P> <P>_time, metric_dimensions, MemoryUsed, CPUUtilization, MemoryAvailable</P> Tue, 29 Sep 2020 06:43:39 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127325#M34528 dhavamanis 2020-09-29T06:43:39Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127326#M34529 <P>Give this a try</P> <PRE><CODE>(index="aws-cloudwatch" ) ("i-2" OR "i-3" OR "i-4" OR "i-5" OR "i-6" OR "i-7" OR "i-8" OR "i-9" OR "i-11" OR "i-12" OR "i-13" OR "i-14" OR "i-15" OR "i-16" OR "i-17" OR "i-18" OR "i-19" OR "i-20" ) (metric_name=MemoryUsed OR metric_name=CPUUtilization OR metric_name=MemoryAvailable) | bin span=5m _time | eval Average=if(metric_name='MemoryAvailable',Average/1024,Average) | eval metric_dimensions=_time."#".metric_dimensions | chart avg(Average) as "avg_average" over metric_dimensions by metric_name | rex field=metric_dimensions "(?&lt;_time&gt;.*)#(?&lt;metric_dimensions&gt;.*)" </CODE></PRE> Thu, 16 Jul 2015 21:20:55 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127326#M34529 somesoni2 2015-07-16T21:20:55Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127327#M34530 <P>Like this:</P> <PRE><CODE>index="aws-cloudwatch" ("i-2" OR "i-3" OR "i-4" OR "i-5" OR "i-6" OR "i-7" OR "i-8" OR "i-9" OR "i-11" OR "i-12" OR "i-13" OR "i-14" OR "i-15" OR "i-16" OR "i-17" OR "i-18" OR "i-19" OR "i-20" ) (metric_name=MemoryUsed OR metric_name=CPUUtilization OR metric_name=MemoryAvailable) | bin span=5m _time | eval MemoryUsed=if(metric_name="MemoryUsed",Average,0) | eval CPUUtilization=if(metric_name="CPUUtilization,Average,0) | eval MemoryAvailable=if(metric_name='MemoryAvailable',Average/1024,0) | stats avg(MemoryUsed) AS MemoryUsed avg(CPUUtilization) AS CPUUtilization avg(MemoryAvailable) ASMemoryAvailable BY _time, metric_dimensions </CODE></PRE> Thu, 16 Jul 2015 21:22:52 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127327#M34530 woodcock 2015-07-16T21:22:52Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127328#M34531 <P>I had a similar situation. The query work well for me except the output field positions.</P> <P>I am getting<BR /> MemoryUsed, CPUUtilization, MemoryAvailable,_time, metric_dimensions</P> <P>Can you plz check and help.</P> <P>This is my query<BR /> index=abc | eval field=field1." | ".field2." | ".field3| chart count over field by field4 | rex field5=field "(?.<EM>)|(?.</EM>)|(?.*)" | fields - field</P> <P>Output:<BR /> field4_1 field4_2 field1 field2 field3</P> Tue, 29 Sep 2020 10:37:51 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127328#M34531 Roopaul 2020-09-29T10:37:51Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127329#M34532 <P>@Roopaul, just replace <CODE>fields - field</CODE> with <CODE>table field4_1 field4_2 field1 field2 field3</CODE></P> Fri, 12 Aug 2016 23:44:32 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127329#M34532 sundareshr 2016-08-12T23:44:32Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127330#M34533 <P>field 4 is dynamically generated.</P> Fri, 12 Aug 2016 23:46:27 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127330#M34533 Roopaul 2016-08-12T23:46:27Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127331#M34534 <P>If the value in field4 are know before hand, try this</P> <PRE><CODE>index=abc | eval field=field1." | ".field2." | ".field3 | eval field4="00".field4 | chart count over field by field4 | rex field5=field "(?.)\|(?.)\|(?.*)" | table 00* field 1 field2 field3 | rename 00* AS * </CODE></PRE> <P>*<STRONG><EM>else</EM></STRONG>*</P> <PRE><CODE>index=abc | eval field=field1." | ".field2." | ".field3 | eval field4="00".field4 | chart count over field by field4 | rex field5=field "(?.)\|(?.)\|(?.*)" | table field4_1 field4_2 field 1 field2 field3 </CODE></PRE> Sat, 13 Aug 2016 00:03:52 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127331#M34534 sundareshr 2016-08-13T00:03:52Z https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127332#M34535 <P>The first one works well. Thanks a lot. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>P.S. &gt; 1st to be used if values is unknown and 2nd if value is known.</P> Sat, 13 Aug 2016 00:15:54 GMT https://community.splunk.com/t5/Splunk-Search/stats-command-help-to-convert-a-row-to-column/m-p/127332#M34535 Roopaul 2016-08-13T00:15:54Z