Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert transpose rows to columns by column...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
josephpe
Explorer
07-14-2024
06:54 PM
I have result like this
column, row 1
TotalHits: Create, 171
TotalHits: Health, 894
TotalHits: Search, 172
TotalHits: Update, 5
perc90(Elapsed): Create, 55
perc90(Elapsed): Health, 52
perc90(Elapsed): Search, 60
perc90(Elapsed): Update, 39
I want to convert this into
| Total Hits | perc90(Elapsed) | |
| Create | 171 | 55 |
| Update | 5 | 52 |
| Search | 172 | 60 |
| Health | 894 | 52 |
What query should I use
Btw, to reach the above output I used like this, even this I am not sure whether its the best way
index=xyz
| search Feature IN (Create, Update, Search, Health)
| bin _time span=1m
| timechart count as TotalHits, perc90(Elapsed) by Feature
| stats max(*) AS *
| transpose
Basically I am trying to get the MAX of the 90th percentile and Total Hits during a time window.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
07-14-2024
09:06 PM
Try this:
index=xyz Feature IN (Create, Update, Search, Health)
| timechart span=1m count as TotalHits, perc90(Elapsed) by Feature
| appendpipe
[stats max("Total Hits: *") as *
| eval _time = "Total Hits"]
| fields - "Total Hits: *"
| appendpipe
[stats max("perc90(Elapsed): *") as *
| eval _time = "perc90(Elapsed)"]
| fields - "perc90*"
| tail 2
| transpose header_field=_time column_name=Feature
| where Feature != "_span"
Two additional pointers:
- Do not use a second search line if Feature is already available in indexed data.
- Do not use a separate command for time bucket if you are going to use timechart.
This is my emulation:
index=_internal
| rename date_second as Elapsed, log_level as Feature
| eval Feature = case(Feature == "INFO", "Create", Feature == "WARN", "Health", Feature == "ERROR", "Search", true(), "Update")
``` the above emulates
index=xyz Feature IN (Create, Update, Search, Health)
```
With this, the result is
| Feature | perc90(Elapsed) | Total Hits |
| Create | 59.000000000000000 | 1283 |
| Health | 48.700000000000000 | 191 |
| Search | 59 | 212 |
| Update | 52.000000000000000 | 551 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PickleRick
SplunkTrust
07-14-2024
11:52 PM
Ok, regardless of your transposing issues you have a logical flaw in your search (or I'm misunderstanding something)
index=xyz
| search Feature IN (Create, Update, Search, Health)
| bin _time span=1m
| timechart count as TotalHits, perc90(Elapsed) by Feature
This part I understand but here:
| stats max(*) AS *
Youre finding a max value separately for each column which means that max(count) might have been during a different time period than max('perc90(Elapsed)'). Are you sure that is what you want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
07-14-2024
09:06 PM
Try this:
index=xyz Feature IN (Create, Update, Search, Health)
| timechart span=1m count as TotalHits, perc90(Elapsed) by Feature
| appendpipe
[stats max("Total Hits: *") as *
| eval _time = "Total Hits"]
| fields - "Total Hits: *"
| appendpipe
[stats max("perc90(Elapsed): *") as *
| eval _time = "perc90(Elapsed)"]
| fields - "perc90*"
| tail 2
| transpose header_field=_time column_name=Feature
| where Feature != "_span"
Two additional pointers:
- Do not use a second search line if Feature is already available in indexed data.
- Do not use a separate command for time bucket if you are going to use timechart.
This is my emulation:
index=_internal
| rename date_second as Elapsed, log_level as Feature
| eval Feature = case(Feature == "INFO", "Create", Feature == "WARN", "Health", Feature == "ERROR", "Search", true(), "Update")
``` the above emulates
index=xyz Feature IN (Create, Update, Search, Health)
```
With this, the result is
| Feature | perc90(Elapsed) | Total Hits |
| Create | 59.000000000000000 | 1283 |
| Health | 48.700000000000000 | 191 |
| Search | 59 | 212 |
| Update | 52.000000000000000 | 551 |
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Calling All Security Pros: Ready to Race Through Boston?
Hey Splunkers,
.conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...
Customer success is front and center at .conf25
Hi Splunkers,
If you are not able to be at .conf25 in person, you can still learn about all the latest news ...
