Solved: Reverse data table to horizontal

isac_santana · ‎07-17-2023

Guys, good morning

I'm having trouble inverting this table below. I need to leave the horizontal "key_type" information, and the "sync_status" information on the bottom line. does anyone know how i can do this?

Current:

| eval last_successful=strftime(strptime(last_successful_sync, "%F %T"), "%d/%m/%Y")
| eval sync_status=if(sync_status == "t", ":gmud-approved:"." "."Sucesso", ":x-negative:"." "."Falhou"." -- "."Last Successful: ".'last_successful')
| stats c as _c by key_type sync_status

How I need it to look:

EVP	CPF	CNPJ	EMAIL	PHONE
'sync_status'	'sync_status'	'sync_status'	'sync_status'	'sync_status'

ITWhisperer · ‎07-17-2023

Add this line:

| chart values(sync_status) as sync_status by _c key_type

The assumption here is that each key_type only has one sync_status

View solution in original post

ITWhisperer · ‎07-17-2023

Add this line:

| chart values(sync_status) as sync_status by _c key_type

The assumption here is that each key_type only has one sync_status

PickleRick · ‎07-17-2023

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transpose

Reverse data table to horizontal

eval

fields

stats

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?