Splunk Enterprise

How to Convert row values to column name with corresponding values.

abhishekpatel2
Explorer

My base search provides me this result:

Column_1   Column_2

---------------------------

                        Val1

A                     Val2

                        Val3

---------------------------

                        Val4

B                     Val5

                        Val6

                        Val7

---------------------------

I want to transform value of Column 2 over Column 1.

Output should be:-

            A            |                  B

        Val1          |               Val4

        Val2          |               Val5

        Val3          |               Val6

                           |               Val7

 

I have tried chart  values(column_2) by column_1. No luck in that.

Labels (2)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| transpose 0 header_field=Column_1
| where column="Column_2"
| fields - column
0 Karma

manjunathmeti
Champion

hi @abhishekpatel2,

Assuming Column_2 is a multivalued field, you can try this query:

base_search | mvexpand Column_2 | eval new=mvzip(Column_1, Column_2) | xyseries new, Column_1, Column_2 | fields - new

 

If this reply helps you, an upvote/like would be appreciated.

 

abhishekpatel2
Explorer

But it is giving only the single values for column_2 I want all the corresponding values of column_2 for that column_1(Duplication of values of column_2 is allowed) 

0 Karma

manjunathmeti
Champion

Try this:

base_search | mvexpand Column_2 | streamstats count | eval new=mvzip(Column_1, Column_2, count) | xyseries new, Column_1, Column_2 | fields - new

 

If this reply helps you, an upvote/like would be appreciated.

abhishekpatel2
Explorer

It is not giving any output statistics.(What needs to be added after streamstats count or keep as it is?)

 

0 Karma

abhishekpatel2
Explorer

Screenshot (140).png

0 Karma

manjunathmeti
Champion

The field's name is wrong in line number 7. And remove line numbers 3 and 4, these are not required.

0 Karma

abhishekpatel2
Explorer

xcjhjcxb jScreenshot (141).png

0 Karma

abhishekpatel2
Explorer

I get this blank cells under the values for column_1.I need the continuos output or I can say tabular matrix with each cell having values under column_1 no blank cell until no new values found. Can you please help me with this...

 

0 Karma

manjunathmeti
Champion

Post some input data and output you are expecting.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...