I am trying to take the results of a timechart table and normalize/flatten/un-pivot the data. For example, I have the following results table:
_time A B C
1-2015 1 4 7
2-2015 2 5 8
3-2015 3 6 9
And I want to convert this into:
_name _time value
A 1-2015 1
A 2-2015 2
A 3-2015 3
B 1-2015 4
B 2-2015 5
B 3-2015 6
C 1-2015 7
C 2-2015 8
C 3-2015 9
How do I do this? Thanks!
Nevermind. I figured it out: I need to use the untable command.
For others who have this same issue, here is another post on Splunk Answers which has more helpful information: https://answers.splunk.com/answers/136599/how-to-convert-multiple-fieldname-fieldvalue-entries-into-...
Do you mind posting the untable command you used for this? Just would be helpful to have it posted for others trying to do the same thing, because the untable documentation is not very descriptive. Thanks!