Solved: variable fields - re-arrange (tranpose) variables ... - Page 2

guilmxm · ‎06-16-2014

Hi,

I have data indexed with variable fields (csv data indexed as csv by Splunk) such as:

timestamp device1 device2 device3 device4
XXXXXXXX        X       X       X       X

Where X are timestamps and values.

I would like to transform these data with Splunk to get:

timestamp device value
XXXXXXXXX device1    X
XXXXXXXXX device2    X
XXXXXXXXX device3    X
XXXXXXXXX device4    X

Currently, I can manipulate data to stats and chart them using:

| timechart max(*) As *

Then i can filter by fields name or doing any other operation.

But i would like to aggregate them (sum) by time interval, easy when devices are arranged in uniq fields, more complicated with variable fields i can't know in advance.

I found a way to stats count/max or whatever by device, but i can't get to include time:

<search stuff>
| stats max(*) As *
| transpose
| rex device=device^count\((?<column>.*?)\)
| rename column as device | rename "row 1" as value

I would have like the same kind of stuff to include the timestamp with the goal to re-arrange the data

Thank you very much for any help !

somesoni2 · ‎06-16-2014

See if this works (from your stats max query in the question)

<search stuff> | eval MaxTime=_time | stats max(*) As *
| transpose  | appendpipe [| where column="MaxTime" | rename "row 1" as Timestamp] | eventstats max(Timestamp) as Timestamp | where like(column,"device%") | convert ctime(Timestamp) | rename column as device, "row 1" as value | table Timestamp, device, value

View solution in original post

variable fields - re-arrange (tranpose) variables fields into one field for data aggregation

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!