Splunk Search

How to transpose a table? (without using Transpose command)

zacksoft
Contributor

My Table looks like this 

VF_Price   Huyndai_Price  Jaguar_Price
345               412                         542

I want it to look like the following

VF_Price               345
Huyndai_Price   412
Jaguar_Price       542

I need to transpose the table without using transpose command. I cannot use transpose command, 'cos I am using some invisible _<fields> that I am passing to my alert, those invisible field becomes visible and show in my transposed table, if I use 'transpose' command. Hence I am trying to figure out , how can I achieve this without using 'transpose'.  


Labels (1)
0 Karma

rnowitzki
Builder

Hi @zacksoft,

this seems to work:

| makeresults 
| eval Vehicle=120, Grocery=23, Tax=5, Education=45
| untable foo Vehicle Grocery
| fields - foo
| rename Vehicle as Category, Tax as count


While I was playing around with the data, due to a typo I added a field in the untable command that does not exist, that's why I have foo in it now. I don't fullly understand why, but it gives the result you asked for.

But I am not sure about your _fields that you mentioned. I guess they won't be available, as with the transpose command.

BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma

niketn
Legend

@zacksoft for the community to assist you better please add more details about your use case. How are you creating the hidden fields for Alert? Can you not create them after transpose?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

rrovers
Communicator

maybe when you use untable and xyseries you can get what you want.

For example:

index=_internal
| stats count as aantal by sourcetype
| untable sourcetype aantal waarde
| xyseries aantal sourcetype waarde


0 Karma

zacksoft
Contributor

Thanks @rrovers 
Would this work if I have 4 fields .
example :- 
Vehicle   Grocery    Tax      Education
120           23              5           45

and to make it
Vehicle  120
Grocery  23
Tax            5
Education 45

| untable Vehicle Grocery Tax Education 
| XYseries Vehice Grocery TAx Education

like this ?

0 Karma

rrovers
Communicator

I assumed vehicle, grocery and tax are not the field names but the values of a field. Let's say the name of the field is "object". The values 120, 23, 5, 45 are values of a field named "cost".

The search should be something like this

| stats count as cost by object
| untable object cost waarde
| xyseries cost object waarde

0 Karma

thambisetty
SplunkTrust
SplunkTrust

without transpose command also, the other invisible fields will be affected 

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...