Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transpose question

emilep
Explorer
‎10-09-2023 01:32 AM

Hi,

I have a query like:

index=federated:ccs_rmail sourcetype="rmail:KIC:reports"
| dedup _time
| timechart span=1mon sum(cisco_*) as cisco_*
| addtotals
| eval rep_perc = round(cisco_stoppedbyreputation/Total*100,2),
spam_perc =round(cisco_spam/Total*100,2),
virus_perc=round(cisco_virus/Total*100,6)
| table cisco_stoppedbyreputation,rep_perc,cisco_spam,spam_perc,cisco_virus,virus_perc
| rename cisco_spam as spam, cisco_virus as virus,cisco_stoppedbyreputation as reputation
| transpose


The result look like:

column

row 1
reputation 740284221
rep_perc 82.46
spam 9695175
spam_perc 1.08
virus 700
virus_perc 0.000078


Is it possible to have something like this?

Name # %
reputation 740284221 82.46
spam 9695175 1.08
virus 700 0.000078


Thanks,
Emile

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2023 02:57 AM 
| timechart span=1mon sum(cisco_*) as cisco_*
| rename cisco_* as *
| rename stoppedbyreputation as reputation
| untable _time name count
| fields - _time
| eventstats sum(count) as total
| eval percentage=round(100*count/total,2)
| fields - total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2023 02:57 AM 
| timechart span=1mon sum(cisco_*) as cisco_*
| rename cisco_* as *
| rename stoppedbyreputation as reputation
| untable _time name count
| fields - _time
| eventstats sum(count) as total
| eval percentage=round(100*count/total,2)
| fields - total
0 Karma
Reply
Solved! Jump to solution

emilep
Explorer
‎10-09-2023 04:53 AM

Hi @ITWhisperer ,
Here it seems that transpose was not the good approach.
Your solution is working as expected.
Many thanks,
Emile

0 Karma
Reply
Solved! Jump to solution

emilep
Explorer
‎10-09-2023 02:16 AM

The result without the transpose looks like:

reputation

rep_perc

spam

spam_perc

virus

virus_perc

74028422182.4696951751.087000.000078

I would like to include this table in a glass table, but as it is formatted here it taking to much place.



0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-09-2023 01:39 AM

HI @emilep,

what's the resul without transpose?

did you read the command description at https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Transpose ?

in addition, there's this useful link https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-transpose-xyseries-untable-and-mor...

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...