Splunk Search

How to transpose a table to make the values in Column 1 the header labels?

crazyeva
Contributor

orange table:

    a      b
    --------
    fld1   1
    fld2   2
    fld3   3
    fld4   4

I want to change it to:

    fld1     fld2     fld3     fld4
    --------------------------------
    1        2        3        4

Where 'fldx' are the header labels

However, using the transpose command results in:

    row1    row2    row3    row4
  ----------------------------------
    fld1     fld2     fld3     fld4
    1        2        3        4

How do I get the desired result?

1 Solution

javiergn
Super Champion

Try this:

yoursearch
| transpose header_field=a
| fields - column

View solution in original post

javiergn
Super Champion

Try this:

yoursearch
| transpose header_field=a
| fields - column

purnavenkatesh
Explorer

Hi,
Thank You Very much. "transpose header_field=a" worked.

0 Karma

snayani
Explorer

Hi,
transpose header_field=count doesn't work for me. Please help

0 Karma

javiergn
Super Champion

Hi, can you post here your search and give us more details about your data?

0 Karma

snayani
Explorer

Hi, I tried this way and it worked:
search string ...... | transpose 5
| rename column as "Database Error Type", "row 1" as "Count"

crazyeva
Contributor

awesome cool !
thank you very much !
I did not find 'header_field' argument in Search Reference v6.2.3. I need update it.
by the way I find a solution using xyseries command. but it's not so convenient as yours
Edit:
transpose's width up to only 1000
xyseries seams will breake the limitation
|eval tmp="anything"|xyseries tmp a b|fields - tmp

jimwilsonssf
Engager

OK I have been looking for an answer like this for days!!! Thank you!

marcoscala
Builder

Good job! Actually also in my case "xysersies" works better!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...