Splunk Search

How to change how my table results are displayed by interchanging the rows and columns?

Path Finder

Hi,

I have a search based on date.

  ...search ... earliest=-d@d latest=now | table _time, host, app_version, RAM_size 

This search actually displays the appversion, RAMsize of a server yesterday and today in a table like below:

_time                 host       app_version   RAM_size
2015-09-15 11:48:42   server1       2.0.1          6
2015-09-16 11:48:42   server1       2.0.2          5

i.e today the version has been upgraded in that server and the appversion, RAMsize has been changed.

Is there a way to display the results in row as I expect below?

host            server1                 server1                                  
_time           2015-09-15 11:48:42     2015-09-16 11:48:42
app_version     2.0.1                   2.0.2
RAM_size        6                       5

i.e interchanging row and column.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can do something like this

your current search giving fields _time host app_version RAM_size | untable _time Metrics Value | eval Date=strftime(_time,"%y-%m-%d %H:%M:%S") | chart first(Value) over Metrics by Date limit=0

View solution in original post

SplunkTrust
SplunkTrust

You can do something like this

your current search giving fields _time host app_version RAM_size | untable _time Metrics Value | eval Date=strftime(_time,"%y-%m-%d %H:%M:%S") | chart first(Value) over Metrics by Date limit=0

View solution in original post

Path Finder

Hi I met a difficult situation here. when I run my search query i was able to see both data from yesterday and today. But when I run it as a dashboard I am able to see only yesterday's data but not today's. Meanwhile

* your current search giving fields _time host app_version RAM_size | untable _time Metrics Value | eval Date=strftime(_time,"%y-%m-%d %H:%M:%S") | chart first(Value) over Metrics by Date limit=0*

this command helps me to sort still I have something to be modified.

0 Karma

SplunkTrust
SplunkTrust

What is the timerange the search is running in your dashboard??

0 Karma

Esteemed Legend

You need the transpose command like this:

...search query... earliest=-d@d latest=now | table _time, host, app_version, RAM_size | transpose
0 Karma