topic Re: Creating a SubHeading in Splunk in Splunk Search

Creating a SubHeading in Splunk

mahbs — Mon, 04 Dec 2017 13:43:23 GMT

Hi,

How do I go about creating a subheading in splunk. My table is in the following format:

         Date1            Date2
ITEM | DIFF | DIFF2   | DIFF | DIFF2

Essentially, I have data for DIFF and DIFF2 for day 1, and then the same for day2.

Currently, It's like this:

ITEM| DIFF | DIFF2 | DIFF | DIFF2 | Date
                                   04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017

Can someone help me with this please or direct me to an alternative solution to this problem?

Thanks

Re: Creating a SubHeading in Splunk

niketn — Mon, 04 Dec 2017 14:15:10 GMT

@mahbs, can you add screenshot for expected output and also your current query?

Re: Creating a SubHeading in Splunk

mahbs — Tue, 29 Sep 2020 17:07:54 GMT

I'm not able to because I don't have enough points. This is my current query:
source=* host="xxx" sourcetype="csv" | rex field=source "(?:[^_]_){2}(?.).txt"| stats list(ITEM) as items list(SOH_DIFF) as soh_diff list(UNAVAILABLE_QTY_DIFF) as uqd by date |table items, soh_diff,uqd,date

The output is numerical values.

Re: Creating a SubHeading in Splunk

somesoni2 — Mon, 04 Dec 2017 19:17:25 GMT

Splunk doesn't support sub heading/2nd row column in headers. One thing you can try will be to add the date into the column names so that you can differentiate the columns by date. Like this (the regular expression on rex command was truncated, make sure you select Splunk query and press Ctrl+K to format the code next time).

source=* host="xxx" sourcetype="csv" | rex field=source "(?:[^_]_){2}(?.*).txt"| chart list(ITEM) as items list(SOH_DIFF) as soh_diff list(UNAVAILABLE_QTY_DIFF) as uqd by sourcetype date |table* items, *soh_diff,*uqd

Re: Creating a SubHeading in Splunk

woodcock — Tue, 05 Dec 2017 02:02:57 GMT

Edit your post and reformat the text so that the alignment is correct and maybe we can understand what you need.

Re: Creating a SubHeading in Splunk

mahbs — Tue, 05 Dec 2017 08:46:47 GMT

Thank you! It worked

Re: Creating a SubHeading in Splunk

niketn — Tue, 05 Dec 2017 10:02:52 GMT

@mahbs, please accept the answer to mark this question as answered.