Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transposing data where two columns are fixed

bismsit29
New Member
‎06-22-2020 05:10 AM

HI All,

I am struggling with a query where i have made the data like the following

Type_timeStoreCounts
Type122/06/2020 11:00Store110
Type122/06/2020 11:00Store220
Type122/06/2020 11:00Store330
Type222/06/2020 11:00Store1100
Type222/06/2020 11:00Store2200
Type222/06/2020 11:00Store3300

 

And I need it to be like the below. Any help on this please ?

Type_timeStore1Store2Store3
Type122/06/2020 11:00102030
Type222/06/2020 11:00100200300

 

Labels (1)
Labels
0 Karma
Reply

manjunathmeti
Champion
‎06-22-2020 05:28 AM

@bismsit29 , Try this:

| strcat Type "-" _time column
| xyseries column, Store, Counts
| eval column=split(column, "-"), Type=mvindex(column, 0), _time=mvindex(column, 1)
| fields Type, _time, Store*

0 Karma
Reply

dmarling
Builder
‎06-22-2020 05:26 AM

Without knowing the underlying query that is generating the table you provided here's the way you can get to what you want from that table. There is a more efficient way of doing this directly from underlying data if you can provide what that is.  If not here is how you can generate the desired table from the table you have.  Refer to lines 13-17.  The first 12 lines are me recreating the table you provided as an example.

| makeresults
| eval Data="Type1|22/06/2020 11:00|Store1|10
Type1|22/06/2020 11:00|Store2|20
Type1|22/06/2020 11:00|Store3|30
Type2|22/06/2020 11:00|Store1|100
Type2|22/06/2020 11:00|Store2|200
Type2|22/06/2020 11:00|Store3|300"
| makemv tokenizer="(?<Data>[^\n]+)" Data
| mvexpand Data
| rex field=Data "^(?<Type>[^\|]+)\|(?<time>[^\|]+)\|(?<Store>[^\|]+)\|(?<Counts>[^\e]+)"
| eval _time=strptime(time, "%d/%m/%Y %H:%M")
| table Type _time Store Counts
| eval ClownCar=Type."|"._time
| chart values(Counts) as Counts over ClownCar by Store
| rex field=ClownCar "(?<Type>[^\|]+)\|(?<time>[^\e]+)"
| eval _time=time
| table Type _time Store*
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...