Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I change the structure of the following table?

AKG1_old1
Builder
‎12-04-2018 03:38 AM

Hello,

My search query produce the table in below format.

_time                          Class                   Memory
2018-12-03 16:07:47             A                        19
2018-12-03 16:08:29             A                        18
2018-12-03 16:16:43             A                        20
2018-12-03 16:07:47             B                       111
2018-12-03 16:08:29             B                       120
2018-12-03 16:16:43             B                       105

I am looking to convert it in below format.

_time                            A               B   
2018-12-03 16:07:47             19              111
2018-12-03 16:08:29             18              120
2018-12-03 16:16:43             20              105

Search Query:

index=* sourcetype=jmap host=* | fields _time class bytes | eval MB= round(bytes/1000000,0) | stats values(MB) as Memory_MB  by _time,class | sort class | head 10 | fields _time class Memory_MB

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

AKG1_old1
Builder
‎12-04-2018 03:51 AM 
index=* sourcetype=jmap host=* | fields _time class bytes | eval MB= round(bytes/1000000,0) | stats values(MB) as Memory_MB  by _time,class | sort class | head 10 | fields class Memory_MB | chart values(Memory_MB) as Memory by _time,class

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

AKG1_old1
Builder
‎12-04-2018 03:51 AM 
index=* sourcetype=jmap host=* | fields _time class bytes | eval MB= round(bytes/1000000,0) | stats values(MB) as Memory_MB  by _time,class | sort class | head 10 | fields class Memory_MB | chart values(Memory_MB) as Memory by _time,class
0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...