https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657433#M227078 <P>In your stats statement, add the other fields you need using evals: count(eval(status="Success")) as Success, count(eval(status="Failed")) as Failed, and remove the status from the by clause. After the stats, do an eval to calculate your percentages.&nbsp;</P> Wed, 13 Sep 2023 14:14:49 GMT etoombs 2023-09-13T14:14:49Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657429#M227076 <P>Hi,<BR />I want to create a splunk table using multiple fields. Let me explain the scenario<BR />I have the following fields</P> <P>Name<BR />Role (multiple roles will exist for each name)<BR />HTTPrequest (There are multiple response as 2**,3**,4** and 5**)</P> <P>My final output&nbsp; should be when the query is ran, It should the group the data in the below format for every day</P> <TABLE width="609"> <TBODY> <TR> <TD width="86.7812px">Date</TD> <TD width="86.8672px">Name</TD> <TD width="86.9297px">Role</TD> <TD width="86.9141px">Success</TD> <TD width="86.8438px">Failed&nbsp;</TD> <TD width="86.8047px">Total</TD> <TD width="86.8594px">Failed %</TD> </TR> <TR> <TD width="86.7812px">01-Jan-23</TD> <TD width="86.8672px">Rambo</TD> <TD width="86.9297px">Team lead</TD> <TD width="86.9141px">100</TD> <TD width="86.8438px">0</TD> <TD width="86.8047px">100</TD> <TD width="86.8594px">0</TD> </TR> <TR> <TD width="86.7812px">01-Jan-23</TD> <TD width="86.8672px">Rambo</TD> <TD width="86.9297px">Manager</TD> <TD width="86.9141px">100</TD> <TD width="86.8438px">10</TD> <TD width="86.8047px">110</TD> <TD width="86.8594px">10</TD> </TR> <TR> <TD width="86.7812px">01-Jan-23</TD> <TD width="86.8672px">King</TD> <TD width="86.9297px">operator</TD> <TD width="86.9141px">2000</TD> <TD width="86.8438px">100</TD> <TD width="86.8047px">2100</TD> <TD width="86.8594px">5</TD> </TR> <TR> <TD width="86.7812px">02-Jan-23</TD> <TD width="86.8672px">King</TD> <TD width="86.9297px">Manager</TD> <TD width="86.9141px">100</TD> <TD width="86.8438px">0</TD> <TD width="86.8047px">100</TD> <TD width="86.8594px">0</TD> </TR> <TR> <TD width="86.7812px">03-Jan-23</TD> <TD width="86.8672px">cheesy</TD> <TD width="86.9297px">Manager</TD> <TD width="86.9141px">100</TD> <TD width="86.8438px">10</TD> <TD width="86.8047px">110</TD> <TD width="86.8594px">10</TD> </TR> <TR> <TD width="86.7812px">04-Jan-23</TD> <TD width="86.8672px">cheesy</TD> <TD width="86.9297px">Team lead</TD> <TD width="86.9141px">4000</TD> <TD width="86.8438px">600</TD> <TD width="86.8047px">4600</TD> <TD width="86.8594px">15</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <P>So, What I tried is&nbsp;<BR />index=ABCD<BR />| bucket _time span=1d<BR />| eval status=case(HTTPrequest &lt; 400,"Success",HTTPrequest &gt; 399,"Failed" )<BR />| stats count by _time Name Role&nbsp;status<BR /><BR />This works something as below but I need the success and failure&nbsp; in to 2 seperate columns as I have shown above and also I need to add the failed % and total</P> <TABLE border="0" width="435" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="87" height="21">Date</TD> <TD width="87">Name</TD> <TD width="87">Role</TD> <TD width="87">HTTPStatus</TD> <TD width="87">COUNT</TD> </TR> <TR> <TD height="21">01-Jan-23</TD> <TD>Rambo</TD> <TD>Team lead</TD> <TD>Success</TD> <TD>100</TD> </TR> <TR> <TD height="21">01-Jan-23</TD> <TD>Rambo</TD> <TD>Team lead</TD> <TD>Failed</TD> <TD>0</TD> </TR> <TR> <TD height="21">01-Jan-23</TD> <TD>Rambo</TD> <TD>Manager</TD> <TD>Success</TD> <TD>100</TD> </TR> <TR> <TD height="21">01-Jan-23</TD> <TD>Rambo</TD> <TD>Manager</TD> <TD>Failed</TD> <TD>10</TD> </TR> <TR> <TD height="21">01-Jan-23</TD> <TD>King</TD> <TD>operator</TD> <TD>Success</TD> <TD>2000</TD> </TR> <TR> <TD height="21">01-Jan-23</TD> <TD>King</TD> <TD>operator</TD> <TD>Failed</TD> <TD>200</TD> </TR> <TR> <TD height="21">02-Jan-23</TD> <TD>King</TD> <TD>Manager</TD> <TD>Success</TD> <TD>10</TD> </TR> <TR> <TD height="21">03-Jan-23</TD> <TD>cheesy</TD> <TD>Manager</TD> <TD>Success</TD> <TD>300</TD> </TR> <TR> <TD height="21">04-Jan-23</TD> <TD>cheesy</TD> <TD>Team lead</TD> <TD>Success</TD> <TD>400</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I used the chart count over X by Y but this allows me to use only 2 fields and not more than 2</P> <P>Please could you suggest me on how to get this sorted.&nbsp;</P> Thu, 14 Sep 2023 16:57:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657429#M227076 suvi6789 2023-09-14T16:57:31Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657433#M227078 <P>In your stats statement, add the other fields you need using evals: count(eval(status="Success")) as Success, count(eval(status="Failed")) as Failed, and remove the status from the by clause. After the stats, do an eval to calculate your percentages.&nbsp;</P> Wed, 13 Sep 2023 14:14:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657433#M227078 etoombs 2023-09-13T14:14:49Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657439#M227082 <P>Hi etoombs,</P><P>Many thanks for the suggestion, I got that sorted.ta</P> Wed, 13 Sep 2023 15:22:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657439#M227082 suvi6789 2023-09-13T15:22:26Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657440#M227083 <P>It worked perfectly for me. Thank you again.</P> Wed, 13 Sep 2023 15:23:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-create-a-table-using-multiple-fields/m-p/657440#M227083 suvi6789 2023-09-13T15:23:48Z