topic Re: Create Table Group Results in Splunk Search https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151185#M42368 <P>You also need rename option as it is in lguinn's answer</P> Mon, 21 Jul 2014 18:30:05 GMT strive 2014-07-21T18:30:05Z Create Table Group Results https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151182#M42365 <P>I have the following data:<BR /> <TABLE class="tg"><BR /> <TBODY><TR><BR /> <TH class="tg-031e">DateTime</TH><BR /> <TH class="tg-031e">GroupName</TH><BR /> <TH class="tg-031e">Count</TH><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-14T12:00:00</TD><BR /> <TD class="tg-031e">Group1</TD><BR /> <TD class="tg-031e">15<BR /></TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-14T12:00:00</TD><BR /> <TD class="tg-031e">Group2</TD><BR /> <TD class="tg-031e">17</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-14T12:00:00</TD><BR /> <TD class="tg-031e">Group3</TD><BR /> <TD class="tg-031e">19</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-15T12:00:00</TD><BR /> <TD class="tg-031e">Group1</TD><BR /> <TD class="tg-031e">18</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-15T12:00:00</TD><BR /> <TD class="tg-031e">Group2</TD><BR /> <TD class="tg-031e">20</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-15T12:00:00</TD><BR /> <TD class="tg-031e">Group3</TD><BR /> <TD class="tg-031e">25</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-16T12:00:00</TD><BR /> <TD class="tg-031e">Group1</TD><BR /> <TD class="tg-031e">19</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-16T12:00:00</TD><BR /> <TD class="tg-031e">Group2</TD><BR /> <TD class="tg-031e">20</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-16T12:00:00</TD><BR /> <TD class="tg-031e">Group3</TD><BR /> <TD class="tg-031e">25</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-17T12:00:00</TD><BR /> <TD class="tg-031e">Group1</TD><BR /> <TD class="tg-031e">22</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-17T12:00:00</TD><BR /> <TD class="tg-031e">Group2</TD><BR /> <TD class="tg-031e">25</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-17T12:00:00</TD><BR /> <TD class="tg-031e">Group3</TD><BR /> <TD class="tg-031e">30</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-18T12:00:00</TD><BR /> <TD class="tg-031e">Group1</TD><BR /> <TD class="tg-031e">25</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-18T12:00:00</TD><BR /> <TD class="tg-031e">Group2</TD><BR /> <TD class="tg-031e">32</TD><BR /> </TR><BR /> <TR><BR /> <TD class="tg-031e">2014-07-18T12:00:00</TD><BR /> <TD class="tg-031e">Group3</TD><BR /> <TD class="tg-031e">35</TD><BR /> </TR><BR /> </TBODY></TABLE><BR /> <BR /><BR /> What I want is to have Splunk display it like so:<BR /> <BR /></P> <TABLE class="tg"> <TBODY><TR> <TH class="tg-031e">Group</TH> <TH class="tg-031e">Monday</TH> <TH class="tg-031e">Tuesday</TH> <TH class="tg-031e">Wednesday</TH> <TH class="tg-031e">Thursday</TH> <TH class="tg-031e">Friday</TH> </TR> <TR> <TD class="tg-031e">Group1<BR /></TD> <TD class="tg-031e">15</TD> <TD class="tg-031e">18</TD> <TD class="tg-031e">19</TD> <TD class="tg-031e">22</TD> <TD class="tg-031e">25</TD> </TR> <TR> <TD class="tg-031e">Group2</TD> <TD class="tg-031e">17</TD> <TD class="tg-031e">20</TD> <TD class="tg-031e">20</TD> <TD class="tg-031e">25</TD> <TD class="tg-031e">32</TD> </TR> <TR> <TD class="tg-031e">Group3</TD> <TD class="tg-031e">19</TD> <TD class="tg-031e">25</TD> <TD class="tg-031e">25</TD> <TD class="tg-031e">30</TD> <TD class="tg-031e">35</TD> </TR> </TBODY></TABLE> <P><BR /><BR /> This will only ever display 1 week's worth of data, so the width of the table isn't a concern. Thanks in advance for any assistance! </P> <P>So far, I have this to pull the weekday out.</P> <PRE><CODE>&lt;search&gt; | eval WeekDay=upper(substr(date_wday,1,1)).substr(date_wday,2) </CODE></PRE> Mon, 21 Jul 2014 18:08:18 GMT https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151182#M42365 caviman2201 2014-07-21T18:08:18Z Re: Create Table Group Results https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151183#M42366 <P>I would do it this way</P> <PRE><CODE>yoursearchhere | eval Weekday = strftime(_time,"%a") | chart first(Count) as Count by GroupName Weekday | rename GroupName as Group </CODE></PRE> <P>Assuming that there is only one event for each group and each day of week (that's why <CODE>first</CODE> works here).</P> <P>Oops, just realized that this is likely to sort by the name of the day of the week, rather than what you want. So try this:</P> <PRE><CODE>yoursearchhere | eval Weekday = strftime(_time,"%w %a") | chart first(Count) as Count by GroupName Weekday | rename GroupName as Group | rename "0 Sun" as "Sun", "1 Mon" as "Mon", "2 Tue" as "Tue", "3 Wed" as "Wed", "4 Thu" as "Thu", "5 Fri" as "Fri", "6 Sat" as "Sat" </CODE></PRE> Mon, 21 Jul 2014 18:15:53 GMT https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151183#M42366 lguinn2 2014-07-21T18:15:53Z Re: Create Table Group Results https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151184#M42367 <P>Try this</P> <P>Assuming that there will be more than one Count for a day and group combination</P> <PRE><CODE>&lt;search&gt; | eval WeekDay=upper(substr(date_wday,1,1)).substr(date_wday,2) | chart sum(Count) as Count by GroupName WeekDay </CODE></PRE> Mon, 21 Jul 2014 18:27:15 GMT https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151184#M42367 strive 2014-07-21T18:27:15Z Re: Create Table Group Results https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151185#M42368 <P>You also need rename option as it is in lguinn's answer</P> Mon, 21 Jul 2014 18:30:05 GMT https://community.splunk.com/t5/Splunk-Search/Create-Table-Group-Results/m-p/151185#M42368 strive 2014-07-21T18:30:05Z