Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Transpose Multiple Column Headers

IRHM73
Motivator
‎04-25-2018 01:08 AM

HI, I wonder whether someone can help me please.

I'm running the query below which works fine, but I'm having some difficulty with the formatting.

(wso2_wmf(RequestCompleted)) OR (auth_wmf(RequestReceived))
| spath output=afin input=detail.responseMessage path=affinityGroup
| eval requestid=coalesce('request.tags.X-Request-ID', 'tags.X-Request-ID')
| stats values(afin) as afin, values(request.detail.apiContext) as api by requestid
| search (api="benefits" OR api="employment" OR api="income")
| stats count by afin, api
| transpose header_field=api

I'd like the output to be as per the enclosed screenshot. So the "api" field is row1, the "afin" field is row 2 with the metrics at row 3.

I'm able to transpose the "api" data to column headers but I can't find a way to create a secondary set of column headers using the "afin" data.

Could someone possibly look at this please and offer some guidance on how I may go about achieving this.

Many thanks and kind regards

Chris

alt text

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-26-2018 05:16 AM

All,

I've come up with the following which resolves the issue highlighted in this ticket.

 (wso2_wmf(RequestCompleted)) OR (`auth_wmf(RequestReceived)`)
 | spath output=afin input=detail.responseMessage path=affinityGroup
 | eval requestid=coalesce('request.tags.X-Request-ID', 'tags.X-Request-ID')
 | stats values(afin) as afin, values(request.detail.apiContext) as api by requestid
 | search (api="benefits" OR api="employment" OR api="income")
 | stats count by afin, api
 | transpose 0
| fields - column

Many thanks for all your help.

Regards

Chris

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-26-2018 05:16 AM

All,

I've come up with the following which resolves the issue highlighted in this ticket.

 (wso2_wmf(RequestCompleted)) OR (`auth_wmf(RequestReceived)`)
 | spath output=afin input=detail.responseMessage path=affinityGroup
 | eval requestid=coalesce('request.tags.X-Request-ID', 'tags.X-Request-ID')
 | stats values(afin) as afin, values(request.detail.apiContext) as api by requestid
 | search (api="benefits" OR api="employment" OR api="income")
 | stats count by afin, api
 | transpose 0
| fields - column

Many thanks for all your help.

Regards

Chris

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎04-25-2018 05:13 AM

You can't have two headers in Splunk like you can in Excel. The best you can do is create a field with the two columns concatenated. something like:

(wso2_wmf(RequestCompleted)) OR (`auth_wmf(RequestReceived)`)
| spath output=afin input=detail.responseMessage path=affinityGroup
| eval requestid=coalesce('request.tags.X-Request-ID', 'tags.X-Request-ID')
| stats values(afin) as afin, values(request.detail.apiContext) as api by requestid
| search (api="benefits" OR api="employment" OR api="income")
| stats count by afin, api
| eval transpose_field=afin." - ".api|fields - afin api
| transpose header_field=transpose_field
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...