untable command: Examples
Examples for using the SPL2 untable command.
Example results before using the untable command
It's useful to see the shape of the search results before implementing the untable command.
The following search returns a count of the events, organized by the host and status fields.
from main where status=200 | stats count() by host, statusThe results look like this:
| host | status | count |
|---|---|---|
| www1 | 200 | 42 |
| www2 | 200 | 46 |
| www3 | 200 | 51 |
| www4 | 200 | 39 |
Example results after using the untable command
The following example adds the untable command to the previous example and converts the results from the stats command.
The
hostfield becomes row labels.The
countandstatusfield names become values in the labels field.The values from the
countandstatusfields become the values in the data field.
from main where status=200 | stats count() by host, status | untable host, label, dataThe results look like this:
| host | label | data |
|---|---|---|
| www1 | count | 42 |
| www1 | status | 200 |
| www2 | count | 51 |
| www2 | status | 200 |
| www3 | count | 42 |
| www3 | status | 200 |
| www4 | count | 51 |
| www4 | status | 200 |
See also
untable command