Related Answers
Download topic as PDF
transpose
Description
Returns the specified number of rows (search results) as columns (list of field values), such that each search row becomes a column.
Syntax
transpose [int] [column_name=<string>] [header_field=<field>] [include_empty=<bool>]
Required arguments
None.
Optional arguments
- column_name
- Syntax: column_name=<string>
- Description: The name of the first column that you want to use for the transposed rows. This column contains the names of the fields.
- Default: column
- header_field
- Syntax: header_field=<field>
- Description: The field in your results to use for the names of the columns (other than the first column) in the transposed data.
- Default: row 1, row 2, row 3, and so on.
- include_empty
- Syntax: include_empty=<bool>
- Description: Specify whether to include (true) or not include (false) fields that contain empty values.
- Default: true
- int
- Syntax: <int>
- Description: Limit the number of rows to transpose. To transpose all rows, specify
| transpose 0, which indicates that the number of rows to transpose is unlimited. - Default: 5
Usage
When you use the transpose command the field names used in the output are based on the arguments that you use with the command. By default the field names are: column, row1, row2, and so forth.
Examples
1. Transpose the results of a chart command
Use the default settings for the transpose command to transpose the results of a chart command.
... | chart count BY host error_code | transpose
2. Count the number of events by sourcetype and transpose the results to display the 3 highest counts
Count the number of events by sourcetype and display the sourcetypes with the highest count first.
index=_internal | stats count by sourcetype | sort -count
Use the transpose command to convert the rows to columns and show the source types with the 3 highest counts.
index=_internal | stats count by sourcetype | sort -count | transpose 3
3. Transpose a set of data into a series to produce a chart
This example uses the sample dataset from the Search Tutorial.
|
Search all successful events and count the number of views, the number of times items were added to the cart, and the number of purchases.
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases
This search produces a single row of data.
The value for count AS views is the total number of the events that match the criteria sourcetype=access_* status=200, or the total count for all actions. The values for addtocart and purchases show the number of events for those specific actions.
When you switch to the Visualization tab, the data displays a chart with the "34282 views" as the X axis label and two columns, one for "addtocart "and one for "purchases". Because the information about the views is placed on the X axis, this chart is confusing.
If you change to a pie chart, you see only the "views".
Use the transpose command to convert the columns of the single row into multiple rows.
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases | transpose
Now these rows can be displayed in a column or pie chart where you can compare the values.
In this particular example, using a pie chart is misleading. The views is a total count of all the actions, not just the addtocart and purchases actions. Using a pie chart implies that views is an action like addtocart and purchases. The pie chart implies that the value for views is 1 part of the total, when in fact views is the total.
There are a few ways to fix this issue:
- Use a column chart
- You can remove the
count AS viewscriteria from your search - You can add the
tablecommand before thetransposecommand in the search, for example:
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases | table addtocart purchases | transpose
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the transpose command.
|
PREVIOUS transaction |
NEXT trendline |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.10, 6.4.11, 6.5.0, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1, 6.4.9, 6.5.1, 6.5.10, 6.5.1612 (Splunk Cloud only)
Comments
just a reminder to all reader here. The calculation of about example may be wrong.
the total views (action=*) included "addtocart" and "purchase".
So the correct calculation should be:
sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases | eval views=views-addtocart-purchases | transpose
Otherwise, the last pie chart it will misrepresent the total views as 44,798 (34282+5292+5224) instead of 34282.
Sideview - Thank you so much for letting us know about this issue with the Learn More link. I have fixed the problem and mapped the link to this page. It should be working now in Splunk Web.
In the product when you are using the "transpose" command, the "Learn more" link in the product should of course link here. However it drops you at the root of the Admin manual.
specifically -- http://localhost:8000/en-US/help?location=search_app.assist.transpose
ultimately redirects the user to
http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/LearnhowtoadministerSplunk
Quentinwl chung
Thank you for pointing this issue out ! I have added 2 notes to Example 3 to explain this and provided a few alternatives to avoid creating a misleading chart.