Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to group keys as column headers with aggregated values in a single row?

track16
Engager
‎11-18-2015 09:34 AM

I have a search:

sourcetype="my_data"| stats count by queue

which aggregates data in a table by the field queue.

It generates a table like this:

queue     | count 
queue_one | 1234
queue_two | 7823

(I've shown two rows in this result, but in practice, the number of rows may vary because I don't know what the aggregated keys will be in advance).

How can I adjust my search so that the table shows aggregated keys as column headers which are also extracted fields, with a single row showing the counts, like this:

queue_one | queue_two 
1234      | 7823

Sorry, Splunk's Markdown page doesn't tell me how to create nicely formatted tables.
https://answers.splunk.com/static/markdown/help.html

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-18-2015 09:56 AM

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-18-2015 09:56 AM

Here's one way. There's probably a more elegant way..
... | timechart limit=0 span=10y count by queue| fields - _time

Reply
Solved! Jump to solution

track16
Engager
‎11-18-2015 10:08 AM

Thanks @sundareshr!

I'm not supposed to use timechart in my Splunk installation (I believe for performance reasons). My admins tell me to use bucket and stats instead.

Do you know if there is a way to do this with bucket and stats?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-18-2015 10:23 AM

In that case, try this

| stats count by queue | untable queue field count | xyseries field queue count | fields - field
Reply
Solved! Jump to solution

track16
Engager
‎11-18-2015 01:59 PM

Works great - thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...