Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Display data in a tabular format
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for some help in getting the logs formatted in a tabular format
I have these in the logs getting printed every 5 minutes
07-06-19:00:40, eventtype=ping, rsptime=0.190, srvname=srv1, srvip=xxx.xxx.xxx.01
07-06-19:00:40, eventtype=ping, rsptime=0.201, srvname=srv2, srvip=xxx.xxx.xxx.02
07-06-19:00:40, eventtype=ping, rsptime=16.991, srvname=srv3, srvip=xxx.xxx.xxx.03
07-06-19:00:40, eventtype=ping, rsptime=17.000, srvname=srv4, srvip=xxx.xxx.xxx.04
07-06-19:05:40, eventtype=ping, rsptime=0.190, srvname=srv1, srvip=xxx.xxx.xxx.01
07-06-19:00:40, eventtype=ping, rsptime=0.201, srvname=srv2, srvip=xxx.xxx.xxx.02
07-06-19:05:40, eventtype=ping, rsptime=16.991, srvname=srv3, srvip=xxx.xxx.xxx.03
07-06-19:05:40, eventtype=ping, rsptime=17.000, srvname=srv4, srvip=xxx.xxx.xxx.04
I want the above data to presented in the below format
srv1|srv2|srv3|srv4
07-06-19:00 0.190 | 0.201 | 0.201 | 16.991 | 17.000
07-06-19:05 0.190 | 0.201 | 0.201 | 16.991 | 17.000
First row/column heading is going to be the server name
Rows will print the rsptime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You asked for this:
index=<You Should Always Specify An index> AND sourcetype=<And sourcetpye Too>
| table _time rsptime srvname
| xyseries _time srvname rsptime
But you probably need is something like this:
index=<You Should Always Specify An index> AND sourcetype=<And sourcetpye Too>
| timechart span=15m avg(rsptime) BY srvname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually your first query worked for me. Thank you Woodcock
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You asked for this:
index=<You Should Always Specify An index> AND sourcetype=<And sourcetpye Too>
| table _time rsptime srvname
| xyseries _time srvname rsptime
But you probably need is something like this:
index=<You Should Always Specify An index> AND sourcetype=<And sourcetpye Too>
| timechart span=15m avg(rsptime) BY srvname
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
