Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to separate rows as column?

apple143
Engager
‎06-08-2018 03:53 PM

I have trouble in manipulating the table

Date contains (index, name, date).

name ..... date ................ count
a ............ 2018-06-07 ..... 500
a ............ 2018-06-08 ..... 600
b ............ 2018-06-07 ..... 700
b ............ 2018-06-08 ..... 800
c ............ 2018-06-07 ..... 900
c ............ 2018-06-08 ..... 1000

I want to make this table to below form

name ........ day1 ........ day2
a ............... 500 .......... 600
b ............... 700 .......... 800
c ............... 900 .......... 1000

or it doesn't matter if I can make below table directly(using tstats)

I have to use tstats. I already made an Alert that could show table like second table.
But, It takes too much time so I want to change search command using tstats

And here is the search query that I used when I made first table
| tstats count where index=* by name, _time span=1d)

How can I do?
Somebody help me please.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎06-08-2018 05:43 PM

Hi Apple143,

Does this work for you?

| tstats count where index=* by name, _time span=1d prestats=true
| chart count by name, _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jluo_splunk
Splunk Employee
Splunk Employee
‎06-08-2018 05:43 PM

Hi Apple143,

Does this work for you?

| tstats count where index=* by name, _time span=1d prestats=true
| chart count by name, _time
0 Karma
Reply
Solved! Jump to solution

apple143
Engager
‎06-10-2018 06:23 PM

It works! Thanks a lot!!

0 Karma
Reply
Solved! Jump to solution

apple143
Engager
‎06-13-2018 12:28 AM

Can I ask one more?
What if I want to 1 more field?
Like..
A-------xx-------06/07-------100
A-------xx-------06/08-------200
A-------yy-------06/07-------300
A-------yy-------06/08-------400
B-------xx-------06/07-------500
B-------xx-------06/08-------600

to

A-------xx-------100-------200
A-------yy-------300-------400
B-------xx-------500-------600

0 Karma
Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎06-13-2018 08:32 PM

Hi Apple143,

Would you mind posting this as a new question since it is a separate question?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-09-2018 08:48 AM

@jluo, small correction _time needs to be converted from epoch time to Epoch time of format YYYY-MM-DD

 | tstats count where index=* by name, _time span=1d prestats=true
 | eval Time=strftime(_time,"%Y/%m/%d")
 | chart count by name, Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

apple143
Engager
‎06-10-2018 06:24 PM

I checked it. Your correction makes it easier. Thank you!

0 Karma
Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎06-10-2018 12:31 PM

Nice catch, Niketnilay 🙂 @apple143, if this works for you, can you accept the answer?

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...