Splunk Search

How to transpose or untable and keep only one column?

mrg2k8
Explorer

Hello,

I have a search returning some results that look like this:

sourcetype="somesourcetype" [ search sourcetype="somesourcetype" ... | top limit=100 email | fields + email ] | stats count by email,error

email           error       count
g@gogo.com      100         20
g@gogo.com      101         21
g@gogo.com      102         22
g@gogo.com      103         23
g@gogo.com      104         24
m@momo.com      100         20
m@momo.com      101         21
m@momo.com      102         22
m@momo.com      103         23
m@momo.com      104         24
f@fofo.com      100         20
f@fofo.com      101         21
f@fofo.com      102         22
f@fofo.com      103         23
f@fofo.com      104         24

How can I make my table look like this?

email           100     101     102     103     104
g@gogo.com      20      21      22      23      24
m@momo.com      20      21      22      23      24
f@fofo.com      20      21      22      23      24

Thanks!

Tags (3)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You can either append this to your search:

... | xyseries email error count

Or use chart count over error by email instead of stats count by email error.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You can either append this to your search:

... | xyseries email error count

Or use chart count over error by email instead of stats count by email error.

diogofgm
SplunkTrust
SplunkTrust

Try this instead of the last stats command:

| chart count over error by email
------------
Hope I was able to help you. If so, some karma would be appreciated.
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...