Knowledge Management

Transpose question

emilep
Explorer

Hi,

I have a query like:

index=federated:ccs_rmail sourcetype="rmail:KIC:reports"
| dedup _time
| timechart span=1mon sum(cisco_*) as cisco_*
| addtotals
| eval rep_perc = round(cisco_stoppedbyreputation/Total*100,2),
spam_perc =round(cisco_spam/Total*100,2),
virus_perc=round(cisco_virus/Total*100,6)
| table cisco_stoppedbyreputation,rep_perc,cisco_spam,spam_perc,cisco_virus,virus_perc
| rename cisco_spam as spam, cisco_virus as virus,cisco_stoppedbyreputation as reputation
| transpose


The result look like:

column

row 1

reputation 740284221
rep_perc 82.46
spam 9695175
spam_perc 1.08
virus 700
virus_perc 0.000078


Is it possible to have something like this?

Name # %
reputation 740284221 82.46
spam 9695175 1.08
virus 700 0.000078


Thanks,
Emile

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=1mon sum(cisco_*) as cisco_*
| rename cisco_* as *
| rename stoppedbyreputation as reputation
| untable _time name count
| fields - _time
| eventstats sum(count) as total
| eval percentage=round(100*count/total,2)
| fields - total

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=1mon sum(cisco_*) as cisco_*
| rename cisco_* as *
| rename stoppedbyreputation as reputation
| untable _time name count
| fields - _time
| eventstats sum(count) as total
| eval percentage=round(100*count/total,2)
| fields - total
0 Karma

emilep
Explorer

Hi @ITWhisperer ,
Here it seems that transpose was not the good approach.
Your solution is working as expected.
Many thanks,
Emile

0 Karma

emilep
Explorer

The result without the transpose looks like:

reputation

rep_perc

spam

spam_perc

virus

virus_perc

74028422182.4696951751.087000.000078

I would like to include this table in a glass table, but as it is formatted here it taking to much place.



0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @emilep,

what's the resul without transpose?

did you read the command description at https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Transpose ?

in addition, there's this useful link https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-transpose-xyseries-untable-and-mor...

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...