Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Breakdown _time into date and time and then transpose

ndaniel88
Explorer
‎02-25-2019 12:44 PM

Hello,

I have a table like this:

+---------------------+-------+
| _time | value |
+---------------------+-------+
| 2/11/2019 13:00 | 5 |

| 2/11/2019 14:00 | 4 |

| 2/11/2019 15:00 | 2 |
| 2/12/2019 13:00 | 3 |
| 2/12/2019 14:00 | 2 |
| 2/12/2019 15:00 | 1 |
| 2/13/2019 13:00 | 7 |
| 2/13/2019 14:00 | 6 |
| 2/13/2019 15:00 | 9 |
+------------------+---+-------+

And I need to transpose in something like this

+-------+-----------+-----------+-----------+
| _time | 2/11/19 | 2/12/19 | 2/13/19 |
+-------+-----------+-----------+-----------+
| 13:00 | 5 | 3 | 7 |
| 14:00 | 4 | 2 | 6 |
| 15:00 | 2 | 1 | 9 |
+-------+-----------+-----------+-----------+

I was able to transpose the row values as columns using:

| transpose 0 header_field=days

(days is a substr containing the date), but I don't have an idea on how to build the rest of the table. Any help is much appreciated.

Thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-25-2019 06:22 PM

Hi @ndaniel88

Try like and let me know

index=_internal 
| timechart span=1h count 
| eval date=strftime(_time,"%m/%d/%Y") 
| eval time=strftime(_time,"%H:%M") 
| xyseries time date count

View solution in original post

Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎02-25-2019 06:22 PM

Hi @ndaniel88

Try like and let me know

index=_internal 
| timechart span=1h count 
| eval date=strftime(_time,"%m/%d/%Y") 
| eval time=strftime(_time,"%H:%M") 
| xyseries time date count
Reply
Solved! Jump to solution

ndaniel88
Explorer
‎02-26-2019 06:31 AM

Thanks! it works 🙂

xyseries is an interesting command, i had never used it before.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-25-2019 06:10 PM

@ndaniel88 Try this

index=<your index>| eval Date=strftime(_time,"%m/%d/%Y")|eval Time=strftime(_time,"%H:%M:%S")
|chart limit=0 values(value) over Date by Time
Reply
Solved! Jump to solution

ndaniel88
Explorer
‎02-26-2019 06:28 AM

Thank you so much!, I just need to switch to "over Time by Date" and it works perfectly! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...