Solved: How to edit my search to group keys as column head...

track16 · ‎11-18-2015

I have a search:

sourcetype="my_data"| stats count by queue

which aggregates data in a table by the field queue.

It generates a table like this:

queue     | count 
queue_one | 1234
queue_two | 7823

(I've shown two rows in this result, but in practice, the number of rows may vary because I don't know what the aggregated keys will be in advance).

How can I adjust my search so that the table shows aggregated keys as column headers which are also extracted fields, with a single row showing the counts, like this:

queue_one | queue_two 
1234      | 7823

Sorry, Splunk's Markdown page doesn't tell me how to create nicely formatted tables.
https://answers.splunk.com/static/markdown/help.html

sundareshr · ‎11-18-2015

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

View solution in original post

sundareshr · ‎11-18-2015

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

View solution in original post

track16 · ‎11-18-2015

Thanks @sundareshr!

I'm not supposed to use timechart in my Splunk installation (I believe for performance reasons). My admins tell me to use bucket and stats instead.

Do you know if there is a way to do this with bucket and stats?

sundareshr · ‎11-18-2015

In that case, try this

| stats count by queue | untable queue field count | xyseries field queue count | fields - field

track16 · ‎11-18-2015

Works great - thanks!

How to edit my search to group keys as column headers with aggregated values in a single row?