Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rotate a table using transpose, remove the first row, and rename the column headers?

HattrickNZ
Motivator
‎06-03-2015 07:44 PM

i have this search which gives me:
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
which gives me this:

subname2    foo     bar     la
SG  300000  160000  100000
US  300000  160000  60000

If i use transpose with this
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | transpose
I get 

column  row 1   row 2
subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

Now how do I remove the the 1st row of the table "subname2 SG US" and use this as my column headers?

I know I can do this:
...| rename column as subname2 | rename "row 1" as SG | rename "row 2" as US
to rename the column headers.

But how do I remove the first row? And is this the best way of doing this?

Ultimately I want this: 

subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

NOTE: A smilar question has been asked here

Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

View solution in original post

Reply
Solved! Jump to solution

tmurata_splunk
Splunk Employee
Splunk Employee
‎09-08-2018 07:59 AM

I think this is easier.

... 
 | transpose header_field=subname2
 | rename column as subname2
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎04-10-2019 07:57 AM

Right this one easier and quickly too...!! thanks 🙂

0 Karma
Reply
Solved! Jump to solution

ksubramanian198
Engager
‎08-09-2018 06:23 AM

Hi , Please try the below and let me know the result
| stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
| transpose header_field=column
| fields- column

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

Reply
Solved! Jump to solution

bhawkins1
Communicator
‎02-07-2017 09:11 AM

transpose should have an optional parameter over which just does | untable <over> a b | xyseries a <over> b

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎06-03-2015 08:32 PM

tks, I think this is exactly what I am looking for.

transpose was the only way I could think of at the time.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...