Related Answers
Download topic as PDF
transpose
Description
Returns the specified number of rows (search results) as columns (list of field values), such that each search row becomes a column.
Syntax
transpose [int] [column_name=<string>] [header_field=<field>] [include_empty=<bool>]
Required arguments
None.
Optional arguments
- column_name
- Syntax: column_name=<string>
- Description: The name of the first column that you want to use for the transposed rows. This column contains the names of the fields.
- Default: column
- header_field
- Syntax: header_field=<field>
- Description: The field in your results to use for the names of the columns (other than the first column) in the transposed data.
- Default: row 1, row 2, row 3, and so on.
- include_empty
- Syntax: include_empty=<bool>
- Description: Specify whether to include (true) or not include (false) fields that contain empty values.
- Default: true
- int
- Syntax: <int>
- Description: Limit the number of rows to transpose. To transpose all rows, specify
| transpose 0, which indicates that the number of rows to transpose is unlimited. - Default: 5
Usage
When you use the transpose command the field names used in the output are based on the arguments that you use with the command. By default the field names are: column, row1, row2, and so forth.
Examples
1. Transpose the results of a chart command
Use the default settings for the transpose command to transpose the results of a chart command.
... | chart count BY host error_code | transpose
2. Count the number of events by sourcetype and transpose the results to display the 3 highest counts
Count the number of events by sourcetype and display the sourcetypes with the highest count first.
index=_internal | stats count by sourcetype | sort -count
Use the transpose command to convert the rows to columns and show the source types with the 3 highest counts.
index=_internal | stats count by sourcetype | sort -count | transpose 3
3. Transpose a set of data into a series to produce a chart
This example uses the sample dataset from the Search Tutorial.
|
Search all successful events and count the number of views, the number of times items were added to the cart, and the number of purchases.
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases
This search produces a single row of data.
When you switch to the Visualization tab, the data displays a chart with the "34282 views" as the X axis label and two columns, one for "addtocart "and one for "purchases". Because the information about the views is placed on the X axis, this chart is confusing.
If you change to a pie chart, you see only the "views".
Use the transpose command to convert the columns of the single row into multiple rows.
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases | transpose
Now these rows can be displayed in a column or pie chart where you can compare the counts.
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the transpose command.
|
PREVIOUS transaction |
NEXT trendline |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6
Comments
In the product when you are using the "transpose" command, the "Learn more" link in the product should of course link here. However it drops you at the root of the Admin manual.
specifically -- http://localhost:8000/en-US/help?location=search_app.assist.transpose
ultimately redirects the user to
http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/LearnhowtoadministerSplunk
Sideview - Thank you so much for letting us know about this issue with the Learn More link. I have fixed the problem and mapped the link to this page. It should be working now in Splunk Web.