Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Creating a SubHeading in Splunk

mahbs
Path Finder
‎12-04-2017 05:43 AM

Hi,

How do I go about creating a subheading in splunk. My table is in the following format:

         Date1            Date2
ITEM | DIFF | DIFF2   | DIFF | DIFF2

Essentially, I have data for DIFF and DIFF2 for day 1, and then the same for day2.

Currently, It's like this:

ITEM| DIFF | DIFF2 | DIFF | DIFF2 | Date
                                   04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017

Can someone help me with this please or direct me to an alternative solution to this problem?

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-04-2017 06:02 PM

Edit your post and reformat the text so that the alignment is correct and maybe we can understand what you need.

0 Karma
Reply

somesoni2
Revered Legend
‎12-04-2017 11:17 AM

Splunk doesn't support sub heading/2nd row column in headers. One thing you can try will be to add the date into the column names so that you can differentiate the columns by date. Like this (the regular expression on rex command was truncated, make sure you select Splunk query and press Ctrl+K to format the code next time).

source=* host="xxx" sourcetype="csv" | rex field=source "(?:[^_]_){2}(?.*).txt"| chart list(ITEM) as items list(SOH_DIFF) as soh_diff list(UNAVAILABLE_QTY_DIFF) as uqd by sourcetype date |table* items, *soh_diff,*uqd
0 Karma
Reply

mahbs
Path Finder
‎12-05-2017 12:46 AM

Thank you! It worked

0 Karma
Reply

niketn
Legend
‎12-05-2017 02:02 AM

@mahbs, please accept the answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎12-04-2017 06:15 AM

@mahbs, can you add screenshot for expected output and also your current query?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mahbs
Path Finder
‎12-04-2017 07:44 AM

I'm not able to because I don't have enough points. This is my current query:
source=* host="xxx" sourcetype="csv" | rex field=source "(?:[^_]_){2}(?.).txt"| stats list(ITEM) as items list(SOH_DIFF) as soh_diff list(UNAVAILABLE_QTY_DIFF) as uqd by date |table items, soh_diff,uqd,date

The output is numerical values.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...