Returns the specified number of rows (search results) as columns (list of field values), such that each search row becomes a column.
transpose [int] [column_name=<string>] [header_field=<field>] [include_empty=<bool>]
- Syntax: column_name=<string>
- Description: The name of the first column that you want to use for the transposed rows. This column contains the names of the fields.
- Default: column
- Syntax: header_field=<field>
- Description: The field in your results to use for the names of the columns (other than the first column) in the transposed data.
- Default: row 1, row 2, row 3, and so on.
- Syntax: include_empty=<bool>
- Description: Specify whether to include (true) or not include (false) fields that contain empty values.
- Default: true
- Syntax: <int>
- Description: Limit the number of rows to transpose. To transpose all rows, specify
| transpose 0, which indicates that the number of rows to transpose is unlimited.
- Default: 5
When you use the
transpose command the field names used in the output are based on the arguments that you use with the command. By default the field names are:
row2, and so forth.
1. Transpose the results of a chart command
Use the default settings for the transpose command to transpose the results of a chart command.
... | chart count BY host error_code | transpose
2. Count the number of events by sourcetype and transpose the results to display the 3 highest counts
Count the number of events by sourcetype and display the sourcetypes with the highest count first.
index=_internal | stats count by sourcetype | sort -count
Use the transpose command to convert the rows to columns and show the source types with the 3 highest counts.
index=_internal | stats count by sourcetype | sort -count | transpose 3
3. Transpose a set of data into a series to produce a chart
|This example uses the sample dataset from the Search Tutorial.
Search all successful events and count the number of views, the number of times items were added to the cart, and the number of purchases.
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases
When you switch to the Visualization tab, the data displays a chart with the "34282 views" as the X axis label and two columns, one for "addtocart "and one for "purchases". Because the information about the views is placed on the X axis, this chart is confusing.
If you change to a pie chart, you see only the "views".
transpose command to convert the columns of the single row into multiple rows.
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases | transpose
Now these rows can be displayed in a column or pie chart where you can compare the counts.
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the transpose command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.0.5, 7.0.0, 7.0.2, 7.0.3