Re: Transpose - Include data in column vs row

dglass0215 · ‎07-18-2024

Hello! Wondering if someone can help me fine tune my query. I have it very close but not quite what I want.

Here is my query in addition to screenshot of what the results currently look like:

[SomeSearch] | stats sum(FRCount) as totalHourCount by QSDateOfTxn, QSHourOfTxn limit=1000
| eval PPM = round(totalHourCount/60,2)
| transpose 0 header_field=QSHourOfTxn

I would like the date to be a column (it is possible there would be multiple dates) but still show both totalHourCount and PPM as is per every hour.

Thanks,

David

ITWhisperer · ‎07-18-2024

You could do something like this

| chart sum(FRCount) as totalHourCount by QSDateOfTxn, QSHourOfTxn limit=1000
| eval row=mvrange(0,2)
| mvexpand row
| eval _metric=QSDateOfTxn." ".mvindex(split("totalHourCount,PPM",","),row)
| fields - QSDateOfTxn
| rename row as _row
| foreach *
    [| eval <<FIELD>>=if(_row=0,'<<FIELD>>',round('<<FIELD>>'/60,2))]
| eval QSDateOfTxn=mvindex(split(_metric," "),0)
| eval metric=mvindex(split(_metric," "),1)
| table QSDateOfTxn metric *

dglass0215 · ‎07-18-2024

First, let me say thank you! It certainly works and is exactly what I was looking for. But man, isn't there any other easier way? lol

Transpose - Include data in column vs row

development

troubleshooting

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation