Transpose and Group By?

SudeepDell · ‎07-05-2018

I am currently trying to format the amount of memory used by each node during a given time in a way that I could create an area graph from the results. Right now I have these three columns:

index=main sourcetype=source
| table _time memory node_name

But I want the columns to be _time, node_name1, node_name2, ...
and the rows to contain the time and the related memory usage that goes along with the node_name.

How can I group the rows by time and separate the memory data for each of the nodes?

Results should look similar to this:

time, node1, node2, node3, ...
6/28, 10000, 20000, 16000, ...
6/29, 15000, 24000, 12500, ...

niketn · ‎07-06-2018

@SudeepDell you can try the following.

 index=main sourcetype=source
 | timechart span=1d  max(memory) as Memory by node_name

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SudeepDell · ‎07-06-2018

that worked, thanks!

niketn · ‎07-08-2018

@SudeepDell, please accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"