https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23162#M4098 <P>There's a few ways to attack this. I'm not sure but Splunk may pick up the key/value pair and extract it as-is.</P> <P>Not sure if it needs a , to separate the key/value pairs, but you can test that pretty easily (if you see a Counter #* field in the left-hand field-picker.</P> <P>If you do have the fields already extracted, a simple:</P> <P><CODE>(search terms) | table _time,host,Counter_#1,Counter_#2,Counter_#3</CODE></P> <P>Will give you a table of your values as you describe. You might want to rename the host field as it may get mixed up with Splunk's 'host' field (the source host of the logs). Lookup the 'rename' command in the Splunk docco to do it at search time.</P> <P>If Splunk is not extracting your fields automatically, here is the docco for setting it up manually:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Examples_of_custom_search-time_field_extractions_using_field_transforms">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Examples_of_custom_search-time_field_extractions_using_field_transforms</A></P> <P>You can also look into the 'multikv' search command, to do the extraction manually in every search command you do.</P> <P>Hopefully Splunk will extract the fields automatically, and you just need to search and output your data as a table.</P> <P>Hope it helps.</P> Tue, 10 Apr 2012 10:10:28 GMT Splunker 2012-04-10T10:10:28Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23161#M4097 <P>It is best to demonstrate with an example:</P> <P>Example of data:</P> <P><IMG src="http://imglink.ru/pictures/10-04-12/f8d82de72f0afa9f872b0d541c6dcba0.jpg" alt="Example of data" /></P> <P>And expected tesult table:</P> <P><IMG src="http://imglink.ru/pictures/10-04-12/371bb283096064979af19e2e26604389.jpg" alt="alt text" /></P> Tue, 10 Apr 2012 09:37:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23161#M4097 Print 2012-04-10T09:37:40Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23162#M4098 <P>There's a few ways to attack this. I'm not sure but Splunk may pick up the key/value pair and extract it as-is.</P> <P>Not sure if it needs a , to separate the key/value pairs, but you can test that pretty easily (if you see a Counter #* field in the left-hand field-picker.</P> <P>If you do have the fields already extracted, a simple:</P> <P><CODE>(search terms) | table _time,host,Counter_#1,Counter_#2,Counter_#3</CODE></P> <P>Will give you a table of your values as you describe. You might want to rename the host field as it may get mixed up with Splunk's 'host' field (the source host of the logs). Lookup the 'rename' command in the Splunk docco to do it at search time.</P> <P>If Splunk is not extracting your fields automatically, here is the docco for setting it up manually:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Examples_of_custom_search-time_field_extractions_using_field_transforms">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Examples_of_custom_search-time_field_extractions_using_field_transforms</A></P> <P>You can also look into the 'multikv' search command, to do the extraction manually in every search command you do.</P> <P>Hopefully Splunk will extract the fields automatically, and you just need to search and output your data as a table.</P> <P>Hope it helps.</P> Tue, 10 Apr 2012 10:10:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23162#M4098 Splunker 2012-04-10T10:10:28Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23163#M4099 <P>This was the first thing I tried <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <PRE><CODE>(search) | table host, _time, counter, Value </CODE></PRE> <P>Unfortunately this way does not work:</P> <P><IMG src="http://imglink.ru/pictures/10-04-12/aace8f48faa98767f60d6ef4c1d073e1.jpg" alt="alt text" /></P> Tue, 10 Apr 2012 10:35:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23163#M4099 Print 2012-04-10T10:35:13Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23164#M4100 <P>It's pretty easy to accomplish as long as you have just two fields to grab values from, for instance <CODE>_time</CODE> and <CODE>counter</CODE>. In that case you can chart over <CODE>_time</CODE> by <CODE>counter</CODE>. Like so:</P> <PRE><CODE>... | chart first(Value) over _time by counter </CODE></PRE> <P>I use <CODE>first</CODE> here because <CODE>chart</CODE> needs a statistical function to handle the numerical result from <CODE>Value</CODE>. Because this is the only value for the event, any statistical function that returns the same value as the original will do, like <CODE>avg()</CODE>, <CODE>min()</CODE>, <CODE>max()</CODE>, etc.</P> <P>If you want <CODE>host</CODE> as well it gets more complicated, because <CODE>chart</CODE> can't handle splitting on multiple fields like that. If it's an absolute requirement you can sort of solve it, but there's unfortunately no straightforward way of doing it (that I know of).</P> Tue, 10 Apr 2012 11:33:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23164#M4100 Ayn 2012-04-10T11:33:02Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23165#M4101 <P>Thanks Ayn!<BR /> It's not exactly what I need, but... it's realy close!<BR /> Yes, actually I need to take into account the 'host' column (and one another in reality). <BR /> In addition I ran into a problem: if you use this method, you cannot get more than 10 fields, 11th field appears as 'OTHER'.</P> Tue, 10 Apr 2012 12:11:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23165#M4101 Print 2012-04-10T12:11:51Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23166#M4102 <P>You could use <CODE>stats</CODE> and <CODE>xyseries</CODE> in combination to resolve this:</P> <PRE><CODE>... | stats first(Value) as Value by _time,counter | xyseries _time counter Value </CODE></PRE> Tue, 10 Apr 2012 12:18:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23166#M4102 Ayn 2012-04-10T12:18:58Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23167#M4103 <P>Nice. But it works only for splunk chart.<BR /> Actually I'm more interested in a simple table (in order to further analysis in Excel with pivot tables).<BR /> Is there any way to solve the initial problem as long as I know all the possible values for the 'counter' field?</P> Tue, 10 Apr 2012 13:07:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23167#M4103 Print 2012-04-10T13:07:10Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23168#M4104 <P>What you get <EM>is</EM> a table. What's not working?</P> Tue, 10 Apr 2012 13:09:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23168#M4104 Ayn 2012-04-10T13:09:08Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23169#M4105 <P>Yes of course:)<BR /> But I would like to have a table with columns named by 'counter' field values and with the values from the corresponding 'Value' fields (as shown in figure 'Expected result table' above).</P> Tue, 10 Apr 2012 13:33:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23169#M4105 Print 2012-04-10T13:33:22Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23170#M4106 <P>I don't understand - this kind of table is exactly what you get by running the command I wrote. (at least it's what I get...)</P> Tue, 10 Apr 2012 13:36:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23170#M4106 Ayn 2012-04-10T13:36:12Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23171#M4107 <P>Yeah, excuse me please. You're absolutely right.<BR /> This is my mistake. I just tried to add the host and instance to my query... Thanks for your help!</P> Tue, 10 Apr 2012 14:16:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-values-as-column-headers/m-p/23171#M4107 Print 2012-04-10T14:16:38Z