Solved: Re: How do I change the structure of the following...

AKG1_old1 · ‎12-04-2018

Hello,

My search query produce the table in below format.

_time                          Class                   Memory
2018-12-03 16:07:47             A                        19
2018-12-03 16:08:29             A                        18
2018-12-03 16:16:43             A                        20
2018-12-03 16:07:47             B                       111
2018-12-03 16:08:29             B                       120
2018-12-03 16:16:43             B                       105

I am looking to convert it in below format.

_time                            A               B   
2018-12-03 16:07:47             19              111
2018-12-03 16:08:29             18              120
2018-12-03 16:16:43             20              105

Search Query:

index=* sourcetype=jmap host=* | fields _time class bytes | eval MB= round(bytes/1000000,0) | stats values(MB) as Memory_MB  by _time,class | sort class | head 10 | fields _time class Memory_MB

Thanks

AKG1_old1 · ‎12-04-2018

index=* sourcetype=jmap host=* | fields _time class bytes | eval MB= round(bytes/1000000,0) | stats values(MB) as Memory_MB  by _time,class | sort class | head 10 | fields class Memory_MB | chart values(Memory_MB) as Memory by _time,class

View solution in original post

AKG1_old1 · ‎12-04-2018

index=* sourcetype=jmap host=* | fields _time class bytes | eval MB= round(bytes/1000000,0) | stats values(MB) as Memory_MB  by _time,class | sort class | head 10 | fields class Memory_MB | chart values(Memory_MB) as Memory by _time,class

How do I change the structure of the following table?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann