Splunk Search

How to edit my search to group keys as column headers with aggregated values in a single row?

track16
Engager

I have a search:

sourcetype="my_data"| stats count by queue

which aggregates data in a table by the field queue.

It generates a table like this:

queue     | count 
queue_one | 1234
queue_two | 7823

(I've shown two rows in this result, but in practice, the number of rows may vary because I don't know what the aggregated keys will be in advance).

How can I adjust my search so that the table shows aggregated keys as column headers which are also extracted fields, with a single row showing the counts, like this:

queue_one | queue_two 
1234      | 7823

Sorry, Splunk's Markdown page doesn't tell me how to create nicely formatted tables.
https://answers.splunk.com/static/markdown/help.html

0 Karma
1 Solution

sundareshr
Legend

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

View solution in original post

sundareshr
Legend

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

track16
Engager

Thanks @sundareshr!

I'm not supposed to use timechart in my Splunk installation (I believe for performance reasons). My admins tell me to use bucket and stats instead.

Do you know if there is a way to do this with bucket and stats?

0 Karma

sundareshr
Legend

In that case, try this

| stats count by queue | untable queue field count | xyseries field queue count | fields - field

track16
Engager

Works great - thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...