Splunk Search

How to display header on transpose command?

jip31
Motivator

Hello

As you can see in my search I transpose time in my header field

 

| eval time=strftime(_time,"%H:%M") 
| sort time 
| fields - _time _span _origtime _events 
| fillnull value=0 
| transpose 0 header_field=time column_name=KPI include_empty=true 
| sort KPI

 

Most of the time it works well

jip31_4-1650782376619.png

But it seems that until I have results = 0, the time header field is dont display

I have row1, instead 08:00, row2 instead 09:00

You can see the result below

jip31_0-1650781875341.png

is anybody have an idea please?

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

I think the problem comes from the _time field being empty. However, I can't see from your search why this would be the case. Nor can I see why the fillnull doesn't work, especially as you have shown some empty fields.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you show an example of the table before the transpose command?

0 Karma

jip31
Motivator

hi

here is

jip31_0-1650787222113.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your  _time field is empty. Why is that?

0 Karma

jip31
Motivator

I have just forgotten to delete this pièce of code for my exemple sorry

| eval time=strftime(_time,"%H:%M") 
| sort time 

This code is just used for filling my header_field (header_field=time)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so now what does the table look like before the transpose?

0 Karma

jip31
Motivator

here is

as you can see, fillnull works only when there is a result > 0 

 

jip31_0-1650865008367.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What was the search which produced this table?

0 Karma

jip31
Motivator
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I can't see why the fillnull should not have worked - I have tried recreating the results but have been unable to make it fail. Which version of Splunk are you using?

0 Karma

jip31
Motivator

So its not due to version?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Possibly not - I haven't tried 8.2.5 but I can't reproduce the problem with 8.2.2 or 8.2.6

0 Karma

jip31
Motivator

Version 8.2.5

As you can see I have the row name in the header field instead time

And most of the time it works normally.....

jip31_0-1650953145203.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I think the problem comes from the _time field being empty. However, I can't see from your search why this would be the case. Nor can I see why the fillnull doesn't work, especially as you have shown some empty fields.

0 Karma

jip31
Motivator

I think I found

I displayed 0 after header_field=time and it has worked immediately...

| transpose header_field=time 0 column_name=KPI include_empty=true 

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...