Solved: Re: What happened to the transposed dates?

hollybross1219 · ‎04-09-2020

I made a query that involves transposing a timechart (span=1w, analyzing since 1/1/2020).

The result is the exact layout I want, however, several columns representing dates after the transpose are missing (ie. nothing in February showed up).

Is there a limit in splunk how many columns are transposed?

Query:

splunk_server=indexer* index=wsi_tax_summary sourcetype=stash intuit_tid=* intuit_offeringid=* capability=* 
error_msg_service=* http_status_code_host=* 
| timechart span=1w dc(intuit_tid) as total_requests, dc(eval(if(error_msg_service="OK", intuit_tid,null))) as total_success 
| sort -_time 
| eval _time=strftime(_time,"%m/%d/%y") 
| eval total_failures=total_requests-total_success 
| eval success_rate= ROUND((total_success/total_requests)*100,2) 
| transpose header_field=_time column_name=week_starting
| regex week_starting!=("^_")
| eval sortkey=case(week_starting="total_requests",1, week_starting="total_success", 2, week_starting="total_failures", 3, 
week_starting="success_rate", 4)
| sort sortkey
| fields - sortkey

alt text

richgalloway · ‎04-10-2020

The transpose command is limited to 5 rows unless you specify otherwise. RTM at https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Transpose

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-10-2020

The transpose command is limited to 5 rows unless you specify otherwise. RTM at https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Transpose

---
If this reply helps you, Karma would be appreciated.

hollybross1219 · ‎04-10-2020

I totally missed that part! Thank you! Fixed 🙂

What happened to the transposed dates?

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform