Splunk Search

How to display header on transpose command?

jip31
Motivator

Hello

As you can see in my search I transpose time in my header field

 

| eval time=strftime(_time,"%H:%M") 
| sort time 
| fields - _time _span _origtime _events 
| fillnull value=0 
| transpose 0 header_field=time column_name=KPI include_empty=true 
| sort KPI

 

Most of the time it works well

jip31_4-1650782376619.png

But it seems that until I have results = 0, the time header field is dont display

I have row1, instead 08:00, row2 instead 09:00

You can see the result below

jip31_0-1650781875341.png

is anybody have an idea please?

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

I think the problem comes from the _time field being empty. However, I can't see from your search why this would be the case. Nor can I see why the fillnull doesn't work, especially as you have shown some empty fields.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you show an example of the table before the transpose command?

0 Karma

jip31
Motivator

hi

here is

jip31_0-1650787222113.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your  _time field is empty. Why is that?

0 Karma

jip31
Motivator

I have just forgotten to delete this pièce of code for my exemple sorry

| eval time=strftime(_time,"%H:%M") 
| sort time 

This code is just used for filling my header_field (header_field=time)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so now what does the table look like before the transpose?

0 Karma

jip31
Motivator

here is

as you can see, fillnull works only when there is a result > 0 

 

jip31_0-1650865008367.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What was the search which produced this table?

0 Karma

jip31
Motivator
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I can't see why the fillnull should not have worked - I have tried recreating the results but have been unable to make it fail. Which version of Splunk are you using?

0 Karma

jip31
Motivator

So its not due to version?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Possibly not - I haven't tried 8.2.5 but I can't reproduce the problem with 8.2.2 or 8.2.6

0 Karma

jip31
Motivator

Version 8.2.5

As you can see I have the row name in the header field instead time

And most of the time it works normally.....

jip31_0-1650953145203.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I think the problem comes from the _time field being empty. However, I can't see from your search why this would be the case. Nor can I see why the fillnull doesn't work, especially as you have shown some empty fields.

0 Karma

jip31
Motivator

I think I found

I displayed 0 after header_field=time and it has worked immediately...

| transpose header_field=time 0 column_name=KPI include_empty=true 

 

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...