Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Formatting output in table

krusovice
Path Finder
‎03-08-2018 06:14 PM

Hi all,

I've a request to come out with a table with information as below.

My query so far is to extract the required data from the log:

index=*  | search "$clicked_request$ - Country: $clicked_country$ - City: $City$ - Total: $total$"

Correct match with log data:

2018-02-21 01:50:22.600 INFO Request_A - Country: UK - City: LDN - Total: 120
2018-02-21 01:57:22.300 INFO Request_A - Country: UK - City: LDN - Total: 130
2018-02-21 02:00:22.390 INFO Request_A - Country: UK - City: MAN - Total: 100

However, I have the problem to format it into desired table format as below:

DATE         COUNTRY        CITY       DATE_HOUR          TOTAL
2018-02-21  UK          LDN              1         120
                                                1          130
                            MAN              2         100

How can I do this with the query?

Thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

deepashri_123
Motivator
‎03-08-2018 07:57 PM

Hey krusovoice,
Try something like this,
index=* | eval date=strftime(_time, "%Y-%m-%d") | stats values(total) AS total values(date_hour) AS date_hour by date,country,city

Let me know if this works!!
I am assuming that your fields are already extracted

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

deepashri_123
Motivator
‎03-08-2018 07:57 PM

Hey krusovoice,
Try something like this,
index=* | eval date=strftime(_time, "%Y-%m-%d") | stats values(total) AS total values(date_hour) AS date_hour by date,country,city

Let me know if this works!!
I am assuming that your fields are already extracted

0 Karma
Reply
Solved! Jump to solution

krusovice
Path Finder
‎03-08-2018 09:44 PM

hi @deepashri_123,

You've given me some idea how to construct the stats command. I've added with eval prior to stats to extract the value of $$.

Would you mind to reply as answer to my post so that I've click "accept as answer"?

Thank you very much for your help.

0 Karma
Reply
Solved! Jump to solution

krusovice
Path Finder
‎03-08-2018 09:45 PM

sorry, $$ should be :

$<token_name>$
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...