Solved: How to display header on transpose command?

jip31 · ‎04-23-2022

Hello

As you can see in my search I transpose time in my header field

| eval time=strftime(_time,"%H:%M") 
| sort time 
| fields - _time _span _origtime _events 
| fillnull value=0 
| transpose 0 header_field=time column_name=KPI include_empty=true 
| sort KPI

Most of the time it works well

But it seems that until I have results = 0, the time header field is dont display

I have row1, instead 08:00, row2 instead 09:00

You can see the result below

is anybody have an idea please?

ITWhisperer · ‎04-27-2022

I think the problem comes from the _time field being empty. However, I can't see from your search why this would be the case. Nor can I see why the fillnull doesn't work, especially as you have shown some empty fields.

View solution in original post

ITWhisperer · ‎04-24-2022

Can you show an example of the table before the transpose command?

jip31 · ‎04-24-2022

hi

here is

ITWhisperer · ‎04-24-2022

Your _time field is empty. Why is that?

jip31 · ‎04-24-2022

I have just forgotten to delete this pièce of code for my exemple sorry

| eval time=strftime(_time,"%H:%M") 
| sort time

This code is just used for filling my header_field (header_field=time)

ITWhisperer · ‎04-24-2022

OK so now what does the table look like before the transpose?

jip31 · ‎04-24-2022

here is

as you can see, fillnull works only when there is a result > 0

ITWhisperer · ‎04-24-2022

What was the search which produced this table?

jip31 · ‎04-25-2022

Here is

https://www.cjoint.com/c/LDzpRnxcFYj

ITWhisperer · ‎04-25-2022

I can't see why the fillnull should not have worked - I have tried recreating the results but have been unable to make it fail. Which version of Splunk are you using?

jip31 · ‎04-26-2022

So its not due to version?

ITWhisperer · ‎04-27-2022

Possibly not - I haven't tried 8.2.5 but I can't reproduce the problem with 8.2.2 or 8.2.6

jip31 · ‎04-25-2022

Version 8.2.5

As you can see I have the row name in the header field instead time

And most of the time it works normally.....

ITWhisperer · ‎04-27-2022

I think the problem comes from the _time field being empty. However, I can't see from your search why this would be the case. Nor can I see why the fillnull doesn't work, especially as you have shown some empty fields.

jip31 · ‎04-27-2022

I think I found

I displayed 0 after header_field=time and it has worked immediately...

| transpose header_field=time 0 column_name=KPI include_empty=true

How to display header on transpose command?

other

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation