Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rotate a table using transpose, remove the first row, and rename the column headers?

HattrickNZ
Motivator
‎06-03-2015 07:44 PM

i have this search which gives me:
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
which gives me this:

subname2    foo     bar     la
SG  300000  160000  100000
US  300000  160000  60000

If i use transpose with this
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | transpose
I get 

column  row 1   row 2
subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

Now how do I remove the the 1st row of the table "subname2 SG US" and use this as my column headers?

I know I can do this:
...| rename column as subname2 | rename "row 1" as SG | rename "row 2" as US
to rename the column headers.

But how do I remove the first row? And is this the best way of doing this?

Ultimately I want this: 

subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

NOTE: A smilar question has been asked here

Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

View solution in original post

Reply
Solved! Jump to solution

tmurata_splunk
Splunk Employee
Splunk Employee
‎09-08-2018 07:59 AM

I think this is easier.

... 
 | transpose header_field=subname2
 | rename column as subname2
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎04-10-2019 07:57 AM

Right this one easier and quickly too...!! thanks 🙂

0 Karma
Reply
Solved! Jump to solution

ksubramanian198
Engager
‎08-09-2018 06:23 AM

Hi , Please try the below and let me know the result
| stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
| transpose header_field=column
| fields- column

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

Reply
Solved! Jump to solution

bhawkins1
Communicator
‎02-07-2017 09:11 AM

transpose should have an optional parameter over which just does | untable <over> a b | xyseries a <over> b

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎06-03-2015 08:32 PM

tks, I think this is exactly what I am looking for.

transpose was the only way I could think of at the time.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...