Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to change the format of my data?

xvxt006
Contributor
‎06-29-2014 10:06 AM

Hi,

we have data that i am getting report using addcols to combine the data and using transpose to get the data in the below format. if anyone wants the query that i am using, i can send it

Measure value
number of subscriptions today 10
number of subscriptions Lastweek 5
Delta in subscriptions % 100%
Revenue today $ 100
Revenue Lastweek $ 50

Delta in Revenue 100%
Requests today 200
Requests LastWeek 100
Delta in Requests 100%

I want the data in the below format -

Measure Today LastWeek Delta

Subscriptions 10 5 100
Revenue $ 100 $ 50 100
Requests 200 100 100

How can this be done?

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-29-2014 12:43 PM

As naïve postprocessing, you could do this:

... | eval Today = case(match(Measure, "(?i)today")) | eval LastWeek = case(match(Measure, "(?i)lastweek")) | eval Delta = case(match(Measure, "(?i)delta")) | eval Measure = case(match(Measure, "(?i)subscriptions"), "Subscriptions", match(Measure, "(?i)revenue"), "Revenue", match(Measure, "(?i)requests"), "Requests") | stats values(Today) as Today values(LastWeek) as LastWeek values(Delta) as Delta by Measure

However, that's fairly ugly... and I agree with Lisa, there's probably a nicer way to produce the directly data in your query.

0 Karma
Reply

lguinn2
Legend
‎06-29-2014 12:20 PM

Please post the query, and it will be simple for us to respond.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...