Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to transpose data and create a new row?

kevingo75
New Member
โ€Ž06-25-2018 08:39 PM

Hi all,

I have a table data looks like:

Time              Type          Count
--------       ----------     --------------
2018/01          A                 10
2018/01          B                  5
2018/02          A                  20
2018/02          B                  10
...                      ...                ...

I want to transpose it and create a new row by B divide by A :

Type     2018/01   2018/02    ...
A          10           20
B          5             10
C          0.5           0.5

I tried | transpose 0 header_field=Time but it does not work.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Builder
โ€Ž06-26-2018 12:20 AM

hi @kevingo75

|  makeresults |  eval  Time ="2018/01", Type="A", Count=10 |append [|  makeresults |  eval  Time ="2018/01", Type="B", Count=5] |append [|  makeresults |  eval  Time ="2018/02", Type="A", Count=20]|append [|  makeresults |  eval  Time ="2018/02", Type="B", Count=10] |fields - _time |chart values(Count) over Time by Type |eval C=B/A  |transpose header_field=Time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Builder
โ€Ž06-26-2018 12:20 AM

hi @kevingo75

|  makeresults |  eval  Time ="2018/01", Type="A", Count=10 |append [|  makeresults |  eval  Time ="2018/01", Type="B", Count=5] |append [|  makeresults |  eval  Time ="2018/02", Type="A", Count=20]|append [|  makeresults |  eval  Time ="2018/02", Type="B", Count=10] |fields - _time |chart values(Count) over Time by Type |eval C=B/A  |transpose header_field=Time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kevingo75
New Member
โ€Ž06-26-2018 01:10 AM

Great answer! Thanks!

0 Karma
Reply
Solved! Jump to solution

niketnilay
SplunkTrust
SplunkTrust
โ€Ž06-26-2018 12:12 AM

@kevingo75, instead of transpose try the following chart command on existing table as per your question:

<yourCurrentSearchResultingInFirstTable>
| chart sum(Count) as count by Type Time

Following is a run anywhere search based on the sample data provided in the question (commands from |makeresults till the |table command generate the dummy data as per the question:

| makeresults 
| eval data="2018/01,A,10;2018/01,B,5;2018/02,A,20;2018/02,B,10" 
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval Time=mvindex(data,0),Type=mvindex(data,1),Count=mvindex(data,2)
| table Time Type Count
| chart sum(Count) as count by Type Time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

kevingo75
New Member
โ€Ž06-26-2018 01:10 AM

Thanks! It looks good!

0 Karma
Reply