Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to represent a 1 row data in a tabular/matrix format?

sh254087
Communicator
‎04-01-2022 06:15 AM

I have this search query which will return a single row of data-


index=xyz | search accountID="1234" instanceName="abcd1" | table curr_x, curr_y, curr_z, op1_x, op1_x, op1_z, op2_x, op2_y, op2_z, op3_x, op3_y, op3_z | fields - accouintID, instanceName


and I want to display the resultant row of data in a matrix format like -

Option x y z
current curr_x curr_y curr_z
option_1 op1_x op1_x op1_z
option_2 op2_x op2_y op2_z
option_3 op3_x op3_y op3_z

Please note: Field names are indicative, actual values of the respective fields to be displayed.

Assumption : There will always be only one row for a selected accountID and instanceName

 

Can someone please help me by letting know how this can be achieved?

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2022 10:15 AM

Does something like this help?

| makeresults
| eval curr_x="current x"
| eval curr_y="current y"
| eval curr_z="current z"
| eval op1_x="opt1 x"
| eval op1_y="opt1 y"
| eval op1_z="opt1 z"
| eval op2_x="opt2 x"
| eval op2_y="opt2 y"
| eval op2_z="opt2 z"
| eval op3_x="opt3 x"
| eval op3_y="opt3 y"
| eval op3_z="opt3 z"
| fields - _time
| eval name=mvindex
| transpose 0 column_name=name header_field=name
| eval field=mvindex(split(name,"_"),0)
| eval {field}='row 1'
| eval row=mvindex(split(name,"_"),1)
| fields - "row 1" name
| stats values(*) as * by row
| fields - field
| transpose 0 column_name=option header_field=row

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-01-2022 10:15 AM

Does something like this help?

| makeresults
| eval curr_x="current x"
| eval curr_y="current y"
| eval curr_z="current z"
| eval op1_x="opt1 x"
| eval op1_y="opt1 y"
| eval op1_z="opt1 z"
| eval op2_x="opt2 x"
| eval op2_y="opt2 y"
| eval op2_z="opt2 z"
| eval op3_x="opt3 x"
| eval op3_y="opt3 y"
| eval op3_z="opt3 z"
| fields - _time
| eval name=mvindex
| transpose 0 column_name=name header_field=name
| eval field=mvindex(split(name,"_"),0)
| eval {field}='row 1'
| eval row=mvindex(split(name,"_"),1)
| fields - "row 1" name
| stats values(*) as * by row
| fields - field
| transpose 0 column_name=option header_field=row
Reply
Solved! Jump to solution

sh254087
Communicator
‎04-05-2022 03:33 AM

Thank you very much for taking time out to look into this and helping. Appreciate it.

This just worked absolutely right. I just had to rename my actual fields such that they only have one underscore in them. Thank you very much.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...