https://community.splunk.com/t5/Splunk-Search/Splunk-Table-Query/m-p/666069#M228502 <P>Thank you very much!</P> Tue, 24 Oct 2023 19:59:31 GMT Awanish1212 2023-10-24T19:59:31Z https://community.splunk.com/t5/Splunk-Search/Splunk-Table-Query/m-p/661141#M228261 <P>These are the sample parameters for index, host, source</P><P>index="production"<BR />host="abc.com-i-1234"<BR />source="Log-*-3333-abc4j.log"</P><P>Suppose there are three Splunk queries as shown below:<BR />----------------------------------------</P><P><STRONG>Query 1:</STRONG></P><P><STRONG>index="production" host="abc.com-*" source="Log-*" | eval ID=substr(host,9,7) | dedup ID| table ID</STRONG></P><P>Suppose it gives output as :</P><TABLE border="0" width="64" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="19">ID</TD></TR><TR><TD height="19">i-1234</TD></TR><TR><TD height="19">i-5678</TD></TR><TR><TD height="19">i-9123</TD></TR><TR><TD height="19">i-4567</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>------------------------------<BR /><STRONG>Query 2:</STRONG></P><P><STRONG>index="production" host="abc.com-$field2$" source="Log-*-*-abc4j.log" | eval Sub_ID = mvindex(split(source,"-"),2) | dedup Sub_ID | table Sub_ID</STRONG></P><P>Suppose it gives output as :</P><TABLE border="0" width="64" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="19">Sub_ID</TD></TR><TR><TD height="19">111</TD></TR><TR><TD height="19">222</TD></TR><TR><TD height="19">3333</TD></TR><TR><TD height="19">4444</TD></TR><TR><TD height="19">555</TD></TR><TR><TD height="19">666</TD></TR><TR><TD height="19">7777</TD></TR><TR><TD height="19">8888</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>where, $field2$ denotes the "ID" generated from Query 1 and each "ID" from Query 1 is mapped to two values of "Sub_ID" generated from Query 2.</P><P>E.g<BR />if the query was-<BR />index="production" host="abc.com-i-1234" source="Log-*-*-abc4j.log" | eval Sub_ID = mvindex(split(source,"-"),2) | dedup Sub_ID | table Sub_ID</P><P>it will give output as:</P><TABLE border="0" width="64" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="19">Sub_ID</TD></TR><TR><TD height="19">111</TD></TR><TR><TD height="19">222</TD></TR></TBODY></TABLE><P><BR />-------------------------------------------</P><P><STRONG>Query 3:</STRONG></P><P><STRONG>index="production" host="abc.com-$field2$" source="Log-*-$field3$-log4j.log" | dedup RP_Remote_User | table RP_Remote_User | stats count as events</STRONG></P><P>Suppose it gives output as :<BR />events:<BR />52</P><P><BR />where, $field2$ denotes the "ID" generated from query 1 and $field3$ denotes the "Sub_ID" generated from Query 2</P><P>E.g<BR />if the query was-<BR />index="production" host="abc.com-i-1234" source="Log-*-3333-log4j.log" | dedup RP_Remote_User | table RP_Remote_User | stats count as events</P><P>it will give output as: (on the basis of "ID" : i-1234 and "Sub_ID":3333)<BR />events:<BR />52</P><P>---------------------------------------</P><P><BR /><STRONG>Could you please help me with the Splunk query to generate the output in tabular format as below (count of events corresponding to each ID and its Sub_ID) with the help of above mentioned three queries:</STRONG></P><TABLE border="0" width="192" cellspacing="0" cellpadding="0"><TBODY><TR><TD width="64" height="19">ID</TD><TD width="64">Sub_ID</TD><TD width="64">Events</TD></TR><TR><TD height="19">i-1234</TD><TD>111</TD><TD>38</TD></TR><TR><TD height="19">&nbsp;</TD><TD>222</TD><TD>48</TD></TR><TR><TD height="19">i-5678</TD><TD>3333</TD><TD>52</TD></TR><TR><TD height="19">&nbsp;</TD><TD>4444</TD><TD>45</TD></TR><TR><TD height="19">i-9123</TD><TD>555</TD><TD>23</TD></TR><TR><TD height="19">&nbsp;</TD><TD>666</TD><TD>34</TD></TR><TR><TD height="19">i-4567</TD><TD>7777</TD><TD>12</TD></TR><TR><TD height="19">&nbsp;</TD><TD>8888</TD><TD>29</TD></TR></TBODY></TABLE> Wed, 18 Oct 2023 07:26:36 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Table-Query/m-p/661141#M228261 Awanish1212 2023-10-18T07:26:36Z https://community.splunk.com/t5/Splunk-Search/Splunk-Table-Query/m-p/666040#M228492 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258647">@Awanish1212</a>&nbsp;- Try below</P><LI-CODE lang="markup">index="production" host="abc.com-*" source="Log-*" | eval ID=substr(host,9,7) | eval Sub_ID = mvindex(split(source,"-"),2) | stats dc(RP_Remote_User) as events by ID, Sub_ID | stats list(Sub_ID) as Sub_ID, list(events) as events by ID</LI-CODE><P>&nbsp;</P><P>I hope this helps!!! Kindly upvote if it does!!!</P> Tue, 24 Oct 2023 16:47:17 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Table-Query/m-p/666040#M228492 VatsalJagani 2023-10-24T16:47:17Z https://community.splunk.com/t5/Splunk-Search/Splunk-Table-Query/m-p/666069#M228502 <P>Thank you very much!</P> Tue, 24 Oct 2023 19:59:31 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Table-Query/m-p/666069#M228502 Awanish1212 2023-10-24T19:59:31Z