Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transpose question

emilep
Explorer
‎10-09-2023 01:32 AM

Hi,

I have a query like:

index=federated:ccs_rmail sourcetype="rmail:KIC:reports"
| dedup _time
| timechart span=1mon sum(cisco_*) as cisco_*
| addtotals
| eval rep_perc = round(cisco_stoppedbyreputation/Total*100,2),
spam_perc =round(cisco_spam/Total*100,2),
virus_perc=round(cisco_virus/Total*100,6)
| table cisco_stoppedbyreputation,rep_perc,cisco_spam,spam_perc,cisco_virus,virus_perc
| rename cisco_spam as spam, cisco_virus as virus,cisco_stoppedbyreputation as reputation
| transpose


The result look like:

column

row 1
reputation 740284221
rep_perc 82.46
spam 9695175
spam_perc 1.08
virus 700
virus_perc 0.000078


Is it possible to have something like this?

Name # %
reputation 740284221 82.46
spam 9695175 1.08
virus 700 0.000078


Thanks,
Emile

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2023 02:57 AM 
| timechart span=1mon sum(cisco_*) as cisco_*
| rename cisco_* as *
| rename stoppedbyreputation as reputation
| untable _time name count
| fields - _time
| eventstats sum(count) as total
| eval percentage=round(100*count/total,2)
| fields - total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2023 02:57 AM 
| timechart span=1mon sum(cisco_*) as cisco_*
| rename cisco_* as *
| rename stoppedbyreputation as reputation
| untable _time name count
| fields - _time
| eventstats sum(count) as total
| eval percentage=round(100*count/total,2)
| fields - total
0 Karma
Reply
Solved! Jump to solution

emilep
Explorer
‎10-09-2023 04:53 AM

Hi @ITWhisperer ,
Here it seems that transpose was not the good approach.
Your solution is working as expected.
Many thanks,
Emile

0 Karma
Reply
Solved! Jump to solution

emilep
Explorer
‎10-09-2023 02:16 AM

The result without the transpose looks like:

reputation

rep_perc

spam

spam_perc

virus

virus_perc

74028422182.4696951751.087000.000078

I would like to include this table in a glass table, but as it is formatted here it taking to much place.



0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-09-2023 01:39 AM

HI @emilep,

what's the resul without transpose?

did you read the command description at https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Transpose ?

in addition, there's this useful link https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-transpose-xyseries-untable-and-mor...

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...