Solved: Why does the time field show up in the transpose h...

jip31 · ‎04-05-2022

hello

I use a transpose command in a table panel

| eval time=strftime(_time,"%H:%M") 
| sort time 
| fields - _time _span _origtime 
| transpose 0 header_field=time column_name=KPI include_empty=true

But randomly, instead having the time field in the header, I have row1, row2, row3....

what is wrong please?

gcusello · ‎04-06-2022

Hi @jip31,

please try tu use transpose after a grouping command as stats, something like this:

your_search
| bin _time span=1m
| stats values(KPI) AS KPI BY _time
| transpose 0 header_field=_time column_name=KPI include_empty=true

in your search, you have too many fields and too many values all equal because you grouped by minute.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎04-06-2022

Hi @jip31,

please try tu use transpose after a grouping command as stats, something like this:

your_search
| bin _time span=1m
| stats values(KPI) AS KPI BY _time
| transpose 0 header_field=_time column_name=KPI include_empty=true

in your search, you have too many fields and too many values all equal because you grouped by minute.

Ciao.

Giuseppe

jip31 · ‎04-07-2022

hi thanks even if i use transpose after a grouping command too;-)

gcusello · ‎04-07-2022

Hi @jip31,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Why does the time field show up in the transpose header?

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor