https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152026#M42608 <P>Try something like this</P> <PRE><CODE>your base search giving fields Organization Unit Ticket_state Severity Year Count | eval RowLabel=Organiation."-".Unit."-".Ticket_state."-".Severity | chart sum(count) as count over RowLabel by Year | addtotals fieldname="Total" 2* | eval Org=mvindex(split(RowLabel,"-"),0)| appendpipe [| stats sum(*) as * by Org | eval RowLabel=Org."Z"] | sort RowLabel | fields - Org </CODE></PRE> Fri, 31 Jul 2015 18:23:49 GMT somesoni2 2015-07-31T18:23:49Z https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152024#M42606 <P>I need to make a chart of nested columns like we can do in excel pivot.</P> <P>Sample data and required view is given in the screenshot:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/525i0C2D92C072A9988B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Is it possible to achieve this in SPLUNK? If not, what best can be done in this case? Please advise.</P> <P>Thank you so much!</P> Fri, 31 Jul 2015 17:37:46 GMT https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152024#M42606 ishaanshekhar 2015-07-31T17:37:46Z https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152025#M42607 <P>Take a look at the <CODE>appendpipe</CODE> command. I think it will get you started.</P> Fri, 31 Jul 2015 18:20:39 GMT https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152025#M42607 lguinn2 2015-07-31T18:20:39Z https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152026#M42608 <P>Try something like this</P> <PRE><CODE>your base search giving fields Organization Unit Ticket_state Severity Year Count | eval RowLabel=Organiation."-".Unit."-".Ticket_state."-".Severity | chart sum(count) as count over RowLabel by Year | addtotals fieldname="Total" 2* | eval Org=mvindex(split(RowLabel,"-"),0)| appendpipe [| stats sum(*) as * by Org | eval RowLabel=Org."Z"] | sort RowLabel | fields - Org </CODE></PRE> Fri, 31 Jul 2015 18:23:49 GMT https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152026#M42608 somesoni2 2015-07-31T18:23:49Z https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152027#M42609 <P>Thanks a lot, somesoni2! Your solution worked nicely and is giving correct results...</P> <P>However, for some reason the values under RowLabel are coming in one row and are not grouped. And some values under RowLabel column have 'Z' appended in the end.</P> <P>Please advise. Thank you!</P> <P>Not able to upload the screenshot, so pasting values here:</P> <P>RowLabel 2011 2012 2013 2014 2015 Total<BR /> Computer Management-Financial Department-3-Active 1 8 9<BR /> Science Management-Physics Department-3-Deferred - Other 1 1<BR /> Engineering Management-IT Department-3-Queued 1 1<BR /> Chemistry ManagementZ 2 9 11</P> Mon, 03 Aug 2015 17:14:06 GMT https://community.splunk.com/t5/Splunk-Search/create-table-chart-like-excel-pivot/m-p/152027#M42609 ishaanshekhar 2015-08-03T17:14:06Z