Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

transpose

Description

Returns the specified number of rows (search results) as columns (list of field values), such that each search row becomes a column.

Syntax

transpose [int] [column_name=<string>] [header_field=<field>] [include_empty=<bool>]

Optional arguments

column_name
Syntax: column_name=<string>
Description: The name of the first column that you want to use for the transposed rows. This column contains the names of the fields.
Default: column
header_field
Syntax: header_field=<field>
Description: The field in your results to use for the names of the columns (other than the first column) in the transposed data.
Default: row 1, row 2, row 3, and so on.
include_empty
Syntax: include_empty=<bool>
Description: Specify whether to include (true) or not include (false) fields that contain empty values.
Default: true
int
Syntax: <int>
Description: Limit the number of rows to transpose.
Default: 5

Examples

1. Transpose the results of a chart command

Use the default settings for the transpose command to transpose the results of a chart command.

... | chart count BY host error_code | transpose


2. Count the number of events by sourcetype and transpose the results to display the 3 highest counts

Count the number of events by sourcetype and display the sourcetypes with the highest count first.

index=_internal | stats count by sourcetype | sort -count

An image that shows 2 columns. The first column lists the source types. The second column is a count of the number of events for each source type.

Use the transpose command to convert the rows to columns and show the source types with the 3 highest counts.

index=_internal | stats count by sourcetype | sort -count | transpose 3

An image that shows 4 columns. The first column are labels that for the information in the rows. The labels are sourcetype and count. The other 3 columns list the top 3 source types and the count, the number of events, for each source type.

See also

fields, stats

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the transpose command.

PREVIOUS
transaction
  NEXT
trendline

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Graham
Here is an example, using the Search Tutorial data.
This search produces a single row of data. When you switch to the Visualization tab, the data displays a chart with the "views" as the X axis and 2 columns, one for "addtocart "and one for "purchases". If you change to a pie chart, you get only the "views".
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases

So if you want to chart all 3 counts, you can use the "transpose" command to convert the 1 row of columns into 3 rows. With the multiple rows of information, the 3 counts can be displayed in a chart.

sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases | transpose

Lstewart splunk, Splunker
May 2, 2016

@Rdominy,

> it will also convert columns to rows

Could you please give an example?

Graham Hannington
April 27, 2016

The summary says this will convert rows to columns, but it will also convert columns to rows. The latter is useful for taking the result of a stats command and converting it into a pie chart when you don't have series to group by.

Rdominy
March 3, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters