Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to convert columns to rows?

kpkvarma
Engager
‎06-26-2016 10:39 PM

I need to convert the following source data as a specified output.

Source Data

 API    SUCCESS    FAIL    POLICY    TOTAL
 x        2         3        4         9

Need a search to convert as following

 API    Measure    Count
  x     SUCCESS      2
  x      FAIL        3
  X     POLICY       4
  x      Total      9

Any inputs?

Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎06-27-2016 05:45 AM

I would just do it this way:

your search here
| untable API Measure Count

I replicated your use case with the following CSV:

API, SUCCESS, FAIL, POLICY, TOTAL
x, 2, 3, 4, 9

And tested it with the following query:

| inputcsv mycsv.csv
| untable API Measure Count

And the output is: see attached image.

alt text

View solution in original post

Preview file
187 KB
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎06-27-2016 05:45 AM

I would just do it this way:

your search here
| untable API Measure Count

I replicated your use case with the following CSV:

API, SUCCESS, FAIL, POLICY, TOTAL
x, 2, 3, 4, 9

And tested it with the following query:

| inputcsv mycsv.csv
| untable API Measure Count

And the output is: see attached image.

alt text

Preview file
187 KB
Reply
Solved! Jump to solution

ashish9433
Communicator
‎12-04-2017 03:58 AM

This works @javiergn, thnxs

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎06-27-2016 05:11 AM

You can work an iteration of stats, and then use the transpose command to work with this and format it how you want..

See: Transpose : http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Transpose

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...