Splunk Enterprise 6.4.1.
I am trying to create a single table that displays data like this:
Priority 1 Priority 2 Priority 3
server Count Volume Count Volume Count Volume
server-1 123 2.34 10 .13 75 1.72
server-2 195 2.32 15 .19 174 1.93
However, using the xyseries command, the data is output like this:
server count:1 count:2 count:3 volume:1 volume:2 volume:3
server-1 123 10 75 2.34 .13 1.72
server-2 195 15 174 2.32 .19 1.93
I think we can live with the column headers looking like "count:1" etc, but is it possible to rearrange the columns so that the columns for count/volume for a specific priority are side-by-side? This is the search I use to generate the table:
index=foo | stats count as count sum(filesize) as volume by priority, server | xyseries server priority count volume | fill null
Ideally, I'd like to change the column headers to be multiline like
Priority 1
count
Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated
index=foo | chart count as count sum(filesize) as volume by server priority | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *
Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated
index=foo | chart count as count sum(filesize) as volume by server priority | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *
Works great! As an aside, I was able to use the same rename command with my original search. I didn't know you could use the wildcard in that way. Very cool!