transpose the row to column

RSS_STT · ‎04-16-2025

I want to transpose the below row to column.

Host	drive_Name	utilization
aaa	D	20
bbb	D	30
aaa	E	60

want to covert above table result as below.

Host	D	E
aaa	20	60
bbb	30

PickleRick · ‎04-17-2025

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries

livehybrid · ‎04-17-2025

Hi @RSS_STT

Use a stats command like this:

| chart values(utilization) over Host by drive_Name

| makeresults count=3 
| streamstats count 
| eval Host=case(count=1 OR count=3, "aaa", count=2, "bbb"), 
       drive_Name=case(count=1 OR count=2, "D:", count=3, "E:"), 
       utilization=case(count=1, 20, count=2, 30, count=3, 60) 
| fields - count _time
| chart values(utilization) over Host by drive_Name

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

transpose the row to column

other

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

transpose the row to column

other

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions