Splunk Search

How to transpose a table? (without using Transpose command)


My Table looks like this 

VF_Price   Huyndai_Price  Jaguar_Price
345               412                         542

I want it to look like the following

VF_Price               345
Huyndai_Price   412
Jaguar_Price       542

I need to transpose the table without using transpose command. I cannot use transpose command, 'cos I am using some invisible _<fields> that I am passing to my alert, those invisible field becomes visible and show in my transposed table, if I use 'transpose' command. Hence I am trying to figure out , how can I achieve this without using 'transpose'.  

Labels (1)
0 Karma


Hi @zacksoft,

this seems to work:

| makeresults 
| eval Vehicle=120, Grocery=23, Tax=5, Education=45
| untable foo Vehicle Grocery
| fields - foo
| rename Vehicle as Category, Tax as count

While I was playing around with the data, due to a typo I added a field in the untable command that does not exist, that's why I have foo in it now. I don't fullly understand why, but it gives the result you asked for.

But I am not sure about your _fields that you mentioned. I guess they won't be available, as with the transpose command.


Karma and/or Solution tagging appreciated.
0 Karma


@zacksoft for the community to assist you better please add more details about your use case. How are you creating the hidden fields for Alert? Can you not create them after transpose?

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


maybe when you use untable and xyseries you can get what you want.

For example:

| stats count as aantal by sourcetype
| untable sourcetype aantal waarde
| xyseries aantal sourcetype waarde

0 Karma


Thanks @rrovers 
Would this work if I have 4 fields .
example :- 
Vehicle   Grocery    Tax      Education
120           23              5           45

and to make it
Vehicle  120
Grocery  23
Tax            5
Education 45

| untable Vehicle Grocery Tax Education 
| XYseries Vehice Grocery TAx Education

like this ?

0 Karma


I assumed vehicle, grocery and tax are not the field names but the values of a field. Let's say the name of the field is "object". The values 120, 23, 5, 45 are values of a field named "cost".

The search should be something like this

| stats count as cost by object
| untable object cost waarde
| xyseries cost object waarde

0 Karma


without transpose command also, the other invisible fields will be affected 

If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...