Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I convert rows to columns by time?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
10-09-2018
11:39 PM
I have universal forwarder data which I access using the below query, but the fields are coming in each row.
I want all these rows to be columns by time.
When i do chart, I lose the time and it shows only the last value by time instead of showing for each time.
How do I fix the query so that i have the last value for each time?
the data gets collected every 15 mins..
index=win_uf sourcetype="Perfmon:LogicalDisk" host="####" instance="_Total"
|eval RaisedDateTime=_time
|search counter="% Free Space" OR counter="Free Megabytes" OR counter="% Idle Time" OR counter="Avg. Disk sec/Transfer"
|table host counter _time Value
|bucket _time span=15m
|chart last(Value) by host counter
this works, but shows a single line for all the time frames.
But, i would like to see the same line for each time entry..
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
10-11-2018
01:57 AM
i dont know if this is the right way to do it, but i got it working by using evals..
index=testindex sourcetype="Perfmon:LogicalDisk" instance="_Total"
|search counter="% Free Space" OR counter="Free Megabytes" OR counter="% Idle Time" OR counter="Avg. Disk sec/Transfer"
|table host Value counter _time
|eval TimeHost=_time+":"+host
|chart values(Value) by TimeHost counter
|eval ActualTime=mvindex(split(TimeHost,":"),0)
|eval fields=split(TimeHost,":")
|eval host=mvindex(fields,1)
|fields - fields TimeHost
|eval _time=ActualTime
i now have all the fields of counter with appropriate values + host + _time..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
10-11-2018
01:57 AM
i dont know if this is the right way to do it, but i got it working by using evals..
index=testindex sourcetype="Perfmon:LogicalDisk" instance="_Total"
|search counter="% Free Space" OR counter="Free Megabytes" OR counter="% Idle Time" OR counter="Avg. Disk sec/Transfer"
|table host Value counter _time
|eval TimeHost=_time+":"+host
|chart values(Value) by TimeHost counter
|eval ActualTime=mvindex(split(TimeHost,":"),0)
|eval fields=split(TimeHost,":")
|eval host=mvindex(fields,1)
|fields - fields TimeHost
|eval _time=ActualTime
i now have all the fields of counter with appropriate values + host + _time..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
10-10-2018
05:30 AM
Try
Timechart last(Value) by host span = 15 min
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
10-10-2018
08:03 AM
Thanks for your response , im missing the counter field which has the actual rows that should be columns.
such as FreeMB etc...
how to include the counter field as well..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
10-10-2018
08:27 AM
Either use
|stats last(Value) by _time host counter
Once the chart is plotted , you can use trellis layout from chart settings and display as per host or counter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jiaqya
Builder
10-10-2018
08:43 AM
unfortunately , i need to show it by counter as its getting fed into a summary index , after which the visualization is configured..
the above one gives me the data, but the counter fields are still rows..
i need counter rows as columns and _time as column and host as column
the counter rows which are now columns should have the appropriate values for each column.
Get Updates on the Splunk Community!
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
