Solved: How do I convert rows to columns by time?

jiaqya · ‎10-09-2018

I have universal forwarder data which I access using the below query, but the fields are coming in each row.

I want all these rows to be columns by time.

When i do chart, I lose the time and it shows only the last value by time instead of showing for each time.

How do I fix the query so that i have the last value for each time?

the data gets collected every 15 mins..

index=win_uf sourcetype="Perfmon:LogicalDisk" host="####" instance="_Total"
|eval RaisedDateTime=_time
|search counter="% Free Space" OR counter="Free Megabytes" OR counter="% Idle Time" OR counter="Avg. Disk sec/Transfer"
|table host counter _time Value
|bucket _time span=15m 
|chart last(Value) by host counter

this works, but shows a single line for all the time frames.

But, i would like to see the same line for each time entry..

jiaqya · ‎10-11-2018

i dont know if this is the right way to do it, but i got it working by using evals..

index=testindex sourcetype="Perfmon:LogicalDisk" instance="_Total"
|search counter="% Free Space" OR counter="Free Megabytes" OR counter="% Idle Time" OR counter="Avg. Disk sec/Transfer"
|table host Value counter _time
|eval TimeHost=_time+":"+host
|chart values(Value) by TimeHost counter
|eval ActualTime=mvindex(split(TimeHost,":"),0)
|eval fields=split(TimeHost,":")
|eval host=mvindex(fields,1)
|fields - fields TimeHost
|eval _time=ActualTime

i now have all the fields of counter with appropriate values + host + _time..

View solution in original post

jiaqya · ‎10-11-2018

i dont know if this is the right way to do it, but i got it working by using evals..

index=testindex sourcetype="Perfmon:LogicalDisk" instance="_Total"
|search counter="% Free Space" OR counter="Free Megabytes" OR counter="% Idle Time" OR counter="Avg. Disk sec/Transfer"
|table host Value counter _time
|eval TimeHost=_time+":"+host
|chart values(Value) by TimeHost counter
|eval ActualTime=mvindex(split(TimeHost,":"),0)
|eval fields=split(TimeHost,":")
|eval host=mvindex(fields,1)
|fields - fields TimeHost
|eval _time=ActualTime

i now have all the fields of counter with appropriate values + host + _time..

Vijeta · ‎10-10-2018

Try
Timechart last(Value) by host span = 15 min

jiaqya · ‎10-10-2018

Thanks for your response , im missing the counter field which has the actual rows that should be columns.
such as FreeMB etc...

how to include the counter field as well..

Vijeta · ‎10-10-2018

Either use

|stats last(Value) by _time host counter

Once the chart is plotted , you can use trellis layout from chart settings and display as per host or counter

jiaqya · ‎10-10-2018

unfortunately , i need to show it by counter as its getting fed into a summary index , after which the visualization is configured..

the above one gives me the data, but the counter fields are still rows..

i need counter rows as columns and _time as column and host as column
the counter rows which are now columns should have the appropriate values for each column.

How do I convert rows to columns by time?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation