Splunk Search

How to transpose or untable and keep only one column?

mrg2k8
Explorer

Hello,

I have a search returning some results that look like this:

sourcetype="somesourcetype" [ search sourcetype="somesourcetype" ... | top limit=100 email | fields + email ] | stats count by email,error

email           error       count
g@gogo.com      100         20
g@gogo.com      101         21
g@gogo.com      102         22
g@gogo.com      103         23
g@gogo.com      104         24
m@momo.com      100         20
m@momo.com      101         21
m@momo.com      102         22
m@momo.com      103         23
m@momo.com      104         24
f@fofo.com      100         20
f@fofo.com      101         21
f@fofo.com      102         22
f@fofo.com      103         23
f@fofo.com      104         24

How can I make my table look like this?

email           100     101     102     103     104
g@gogo.com      20      21      22      23      24
m@momo.com      20      21      22      23      24
f@fofo.com      20      21      22      23      24

Thanks!

Tags (3)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can either append this to your search:

... | xyseries email error count

Or use chart count over error by email instead of stats count by email error.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can either append this to your search:

... | xyseries email error count

Or use chart count over error by email instead of stats count by email error.

diogofgm
SplunkTrust
SplunkTrust

Try this instead of the last stats command:

| chart count over error by email
------------
Hope I was able to help you. If so, some karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...