Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to transpose one column from table with four columns?

verothor
Path Finder
‎05-13-2023 09:57 AM

Hi all, I have a table where I would like to transpose only one column with values from another column.

It looks like this..

Order Date Count Shift
M5678 01/01/2023 12 A
M5678 01/01/2023 13 B
M1234 01/01/2023 13 A
M1234 01/01/2023 15 B

 

And I would like to achieve this..

Order Date A B
M5678 01/01/2023 12 13
M1234 01/01/2023 13 15

 

Can someone please help with this.

Thank you so much

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-13-2023 11:44 AM

I'll highly recommend @alacercogitatus "Lesser Known Search Commands" perennial .conf talk, because this is where I learned the {} trick with eval.

It looks like you want to create columns based on the value of the Shift column... 
Which eval could do with the trick above, and then you can combine rows based on Order and Date parameters with stats:

 

...
| eval SH_{Shift}=Count
| stats values(SH_*) as * by Order Date

 


Alternatively, assuming that your given data is in fact the output of a stats command, another option would be instead of doing the stats, combine Order and Date into a single key with a delimiter, and then chart the count of your data by Order_Date and Shift. 

You then use eval / rex / others to split Order and Date back out by the delimiter into separate columns.

But I'll leave that option as an exercise to the reader.

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎05-13-2023 11:44 AM

I'll highly recommend @alacercogitatus "Lesser Known Search Commands" perennial .conf talk, because this is where I learned the {} trick with eval.

It looks like you want to create columns based on the value of the Shift column... 
Which eval could do with the trick above, and then you can combine rows based on Order and Date parameters with stats:

 

...
| eval SH_{Shift}=Count
| stats values(SH_*) as * by Order Date

 


Alternatively, assuming that your given data is in fact the output of a stats command, another option would be instead of doing the stats, combine Order and Date into a single key with a delimiter, and then chart the count of your data by Order_Date and Shift. 

You then use eval / rex / others to split Order and Date back out by the delimiter into separate columns.

But I'll leave that option as an exercise to the reader.

Reply
Solved! Jump to solution

verothor
Path Finder
‎05-13-2023 02:02 PM

Thanks @acharlieh your recommendation did the trick what I needed now.

Yes, your assumption is right the table comes from stats command, I will try to play with it more, but for now the first solution helped, thank you so much 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...