Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to rotate a table using transpose, remove the first row, and rename the column headers?

HattrickNZ
Motivator
‎06-03-2015 07:44 PM

i have this search which gives me:
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
which gives me this:

subname2    foo     bar     la
SG  300000  160000  100000
US  300000  160000  60000

If i use transpose with this
... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | transpose
I get 

column  row 1   row 2
subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

Now how do I remove the the 1st row of the table "subname2 SG US" and use this as my column headers?

I know I can do this:
...| rename column as subname2 | rename "row 1" as SG | rename "row 2" as US
to rename the column headers.

But how do I remove the first row? And is this the best way of doing this?

Ultimately I want this: 

subname2    SG  US
foo     300000  300000
bar     160000  160000
la  100000  60000

NOTE: A smilar question has been asked here

Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

View solution in original post

Reply
Solved! Jump to solution

tmurata_splunk
Splunk Employee
Splunk Employee
‎09-08-2018 07:59 AM

I think this is easier.

... 
 | transpose header_field=subname2
 | rename column as subname2
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎04-10-2019 07:57 AM

Right this one easier and quickly too...!! thanks 🙂

0 Karma
Reply
Solved! Jump to solution

ksubramanian198
Engager
‎08-09-2018 06:23 AM

Hi , Please try the below and let me know the result
| stats max(field1) as foo max(field2) as bar max(field3) as la by subname2
| transpose header_field=column
| fields- column

0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎06-03-2015 08:14 PM

Is using transpose a requirement? What about using a combination of untable and xyseries?

Such as:

... | stats max(field1) as foo max(field2) as bar max(field3) as la by subname2 | untable subname2 field value | xyseries field subname2 value | rename field as subname2

Edit: actually one tweak to change the first column name back 🙂

Reply
Solved! Jump to solution

bhawkins1
Communicator
‎02-07-2017 09:11 AM

transpose should have an optional parameter over which just does | untable <over> a b | xyseries a <over> b

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎06-03-2015 08:32 PM

tks, I think this is exactly what I am looking for.

transpose was the only way I could think of at the time.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...