Can you help me with a search query using the tabl...

anandhalagarasa · ‎04-02-2019

Hi Team,

I have a query to segregate and provide the data in a table format in Splunk Enterprise.

index=xxx sourcetype="xyz" "ERROR" |table index, sourcetype, Level

In this search query now, i am getting a table format with index sourcetype and Level information in a perfect manner. But I also want to display in the table format the search query also i.e. (index=xxx sourcetype="xyz" "ERROR" )

So how can i get the data something like:

index  sourcetype level query

kamlesh_vaghela · ‎04-02-2019

@anandhalagarasan

Can you please try this search?

index=xxx sourcetype="xyz" "ERROR" 
| table index, sourcetype, Level 
| addinfo 
| map search=" | rest splunk_server=local count=0 /services/search/jobs | search sid=$info_sid$ | eval sourcetype=$sourcetype$,index=$index$, Level=$Level$| table index sourcetype Level title | rename title as query"

Here, I have used map. Ref:https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/map

I have tried with below sample search.

index="_internal" | stats count by sourcetype | addinfo | map search=" | rest splunk_server=local count=0 /services/search/jobs | search sid=$info_sid$ | eval sourcetype=$sourcetype$,count=$count$| table title sourcetype count"

Thanks

anandhalagarasa · ‎04-04-2019

The query seems to be not working fine as expected.

Can you help me with a search query using the table command?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation