Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I use the transpose command header_field argument to reformat my table?

splk_clheureux
Explorer
‎12-22-2015 02:45 AM

I have a table from a timechart like this :

Month         LE11         LE12          LE41
January       1680         5218          1241
February      3949         3427          2850
March         3548         1307          6016

My goal is:

          January       February       March          
LE11      1680          3949           3548           
LE12      5218          3427           1307            
LE41      1241          2850           6016

I actually use a trick with rename to obtain correct columns names, but I think it makes my search longer (got 12 columns). I read on Splunk docs, there is a header_field option, but it seems like it doesn't work. I don't really understand how this option works.

Forgive my poor English, thanx a lot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-23-2015 04:30 PM

Have you looked at untable and xyseries commands. You can achieve what you are looking for with these two commands

View solution in original post

Reply
Solved! Jump to solution

fdi01
Motivator
‎12-28-2015 01:34 AM

this link can help you Mr splk_clheureux
https://answers.splunk.com/answers/241080/how-to-rotate-a-table-using-transpose-remove-the-f.html

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-23-2015 04:30 PM

Have you looked at untable and xyseries commands. You can achieve what you are looking for with these two commands

Reply
Solved! Jump to solution

splk_clheureux
Explorer
‎12-28-2015 12:29 AM

Thank you but I tried these two commands and the problem is that they do not show the columns with values 0 or empty

0 Karma
Reply
Solved! Jump to solution

splk_clheureux
Explorer
‎12-28-2015 02:42 AM

This is work. Thank you

0 Karma
Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎12-23-2015 03:13 PM

Hi splk_clheureux,

The header_field option is actually meant to specify which field you would like to make your header field. For example, you are transposing your table such that the months are now the headers (or column names), when they were previously LE11, LE12, etc..

However, there may be a way to rename earlier in your search string. This depends on which commands you are using. Hope this helps!

0 Karma
Reply
Solved! Jump to solution

splk_clheureux
Explorer
‎12-28-2015 12:34 AM

Thank you for answer, I tried to use this option by setting header field=month but it doesn't work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...