Splunk Search

How to transpose a table? (without using Transpose command)


My Table looks like this 

VF_Price   Huyndai_Price  Jaguar_Price
345               412                         542

I want it to look like the following

VF_Price               345
Huyndai_Price   412
Jaguar_Price       542

I need to transpose the table without using transpose command. I cannot use transpose command, 'cos I am using some invisible _<fields> that I am passing to my alert, those invisible field becomes visible and show in my transposed table, if I use 'transpose' command. Hence I am trying to figure out , how can I achieve this without using 'transpose'.  

Labels (1)
0 Karma


Hi @zacksoft,

this seems to work:

| makeresults 
| eval Vehicle=120, Grocery=23, Tax=5, Education=45
| untable foo Vehicle Grocery
| fields - foo
| rename Vehicle as Category, Tax as count

While I was playing around with the data, due to a typo I added a field in the untable command that does not exist, that's why I have foo in it now. I don't fullly understand why, but it gives the result you asked for.

But I am not sure about your _fields that you mentioned. I guess they won't be available, as with the transpose command.


Karma and/or Solution tagging appreciated.
0 Karma


@zacksoft for the community to assist you better please add more details about your use case. How are you creating the hidden fields for Alert? Can you not create them after transpose?

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


maybe when you use untable and xyseries you can get what you want.

For example:

| stats count as aantal by sourcetype
| untable sourcetype aantal waarde
| xyseries aantal sourcetype waarde

0 Karma


Thanks @rrovers 
Would this work if I have 4 fields .
example :- 
Vehicle   Grocery    Tax      Education
120           23              5           45

and to make it
Vehicle  120
Grocery  23
Tax            5
Education 45

| untable Vehicle Grocery Tax Education 
| XYseries Vehice Grocery TAx Education

like this ?

0 Karma


I assumed vehicle, grocery and tax are not the field names but the values of a field. Let's say the name of the field is "object". The values 120, 23, 5, 45 are values of a field named "cost".

The search should be something like this

| stats count as cost by object
| untable object cost waarde
| xyseries cost object waarde

0 Karma


without transpose command also, the other invisible fields will be affected 

If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...