https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530065#M149758 <P>There doesn't appear to be anything wrong, the absence of Completed and the other APIs from the results probably means they are absent from the events in your selected time period.</P> Thu, 19 Nov 2020 10:44:56 GMT ITWhisperer 2020-11-19T10:44:56Z https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/529890#M149692 <P>Hi,</P><P>I was trying to add 2 searches</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| multisearch [search host=p-css* SRCreateRequest 400 | stats count as CreateSR | appendcols [search host=p-css* SRUpdateRequest 400 | stats count as UpdateSR] | appendcols [search host=p-css* SREscalateRequest 400 | stats count as EscalateSR] | appendcols [search host=p-css* SRCloseRequest 400 | stats count as CloseSR] | eval type="400"] [appendcols search host=p-css* SRCreateRequest Publisher: Completed | stats count as CreateSR | appendcols [search host=p-css* SRUpdateRequest Publisher: Completed | stats count as UpdateSR] | appendcols [search host=p-css* SREscalateRequest Publisher: Completed | stats count as EscalateSR] | appendcols [search host=p-css* SRCloseRequest Publisher: Completed | stats count as CloseSR] | eval type="Completed"] | chart count(Name) over 400 by Completed</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Getting error "Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command)."</P><P>&nbsp;</P><P>My expected output&nbsp; will be having a table format:</P><P>giving some example here</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">API</TD><TD width="33.333333333333336%">400</TD><TD width="33.333333333333336%">Completed</TD></TR><TR><TD width="33.333333333333336%">CreateSR</TD><TD width="33.333333333333336%">30</TD><TD width="33.333333333333336%">50</TD></TR><TR><TD width="33.333333333333336%">UpdateSR</TD><TD width="33.333333333333336%">5</TD><TD width="33.333333333333336%">25</TD></TR><TR><TD width="33.333333333333336%">CloseSR</TD><TD width="33.333333333333336%">24</TD><TD width="33.333333333333336%">30</TD></TR></TBODY></TABLE> Wed, 18 Nov 2020 11:34:32 GMT https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/529890#M149692 shashidharh 2020-11-18T11:34:32Z https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/529919#M149705 <P>Appendcols is not a streaming command and cannot be used in multisearch.</P> Wed, 18 Nov 2020 14:30:45 GMT https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/529919#M149705 richgalloway 2020-11-18T14:30:45Z https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530022#M149738 <P>ohk, what could be the good solution for this query to get above result ?</P> Thu, 19 Nov 2020 03:51:24 GMT https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530022#M149738 shashidharh 2020-11-19T03:51:24Z https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530047#M149751 <P>It depends what your data looks like!</P><P>Assuming you have fields API, status, publisher and completed,&nbsp;</P><LI-CODE lang="markup">host=p-css* (SRCreateRequest OR SRUpdateRequest OR SREscalateRequest OR SRCloseRequest) (400 OR (Publisher: AND Completed)) | eval fourhundred=if(status=400, 1, 0) | eval complete=if(publisher="Publisher:" AND completed="Completed", 1, 0) | stats sum(fourhundred) as "400" sum(complete) as Completed by API</LI-CODE><P>&nbsp;</P> Thu, 19 Nov 2020 08:12:19 GMT https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530047#M149751 ITWhisperer 2020-11-19T08:12:19Z https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530051#M149754 <P>yes, it is not giving the output..</P><P>but modified as below .. here all APIs are not showing along with "Completed"</P><P>anything wrong ?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Nov19.PNG" style="width: 683px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11980i88AF4A63E8A2C313/image-dimensions/683x198?v=v2" width="683" height="198" role="button" title="Nov19.PNG" alt="Nov19.PNG" /></span></P><P> </P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Nov 2020 08:59:13 GMT https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530051#M149754 shashidharh 2020-11-19T08:59:13Z https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530065#M149758 <P>There doesn't appear to be anything wrong, the absence of Completed and the other APIs from the results probably means they are absent from the events in your selected time period.</P> Thu, 19 Nov 2020 10:44:56 GMT https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530065#M149758 ITWhisperer 2020-11-19T10:44:56Z https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530071#M149761 <P>hm yes, is it possible to display those columns &amp; rows where we have "zero" values ?</P> Thu, 19 Nov 2020 11:54:23 GMT https://community.splunk.com/t5/Splunk-Search/multisearch-in-table-format/m-p/530071#M149761 shashidharh 2020-11-19T11:54:23Z