Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the time field show up in the transpose header?

jip31
Motivator
‎04-05-2022 10:45 PM

hello

I use a transpose command in a table panel

 

 

| eval time=strftime(_time,"%H:%M") 
| sort time 
| fields - _time _span _origtime 
| transpose 0 header_field=time column_name=KPI include_empty=true

 

 

 But randomly, instead having the time field in the header, I have row1, row2, row3....

jip31_0-1649223867756.png

what is wrong please?

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2022 01:16 AM

Hi @jip31,

please try tu use transpose after a grouping command as stats, something like this:

your_search
| bin _time span=1m
| stats values(KPI) AS KPI BY _time
| transpose 0 header_field=_time column_name=KPI include_empty=true

in your search, you have too many fields and too many values all equal because you grouped by minute.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2022 01:16 AM

Hi @jip31,

please try tu use transpose after a grouping command as stats, something like this:

your_search
| bin _time span=1m
| stats values(KPI) AS KPI BY _time
| transpose 0 header_field=_time column_name=KPI include_empty=true

in your search, you have too many fields and too many values all equal because you grouped by minute.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-07-2022 07:18 AM

hi thanks even if i use transpose after a grouping command too;-)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-07-2022 07:22 AM

Hi @jip31,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...