Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I create this report table with two column...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is it possible to get a report like this in Splunk?
I have fields APP, status and category. Here I am taking the count of status for each category by APP. I want a category for each row, and under each APP, I want the status and total of each column with a Grand Total column on the far right side of the table. Please refer to the attached image sample.png as the table was too wide for proper formatting on this site.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (you will need to adjust some things to match your search/data and may need to re-order the fields):
YourBaseSearchHere APP="N-S" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "N-S Total" | appendcols [ YourBaseSearchHere APP="S-V" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "S-V Total" ] | eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $<<FIELD>>$ ] | addcoltotals labelfield=Cat label=Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (you will need to adjust some things to match your search/data and may need to re-order the fields):
YourBaseSearchHere APP="N-S" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "N-S Total" | appendcols [ YourBaseSearchHere APP="S-V" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "S-V Total" ] | eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $<<FIELD>>$ ] | addcoltotals labelfield=Cat label=Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, its working.
But one small thing. Is it possible to put N-S Total after app_status of N-S and S-V Total after app_Status of S-V Total and Grandtotal in last column
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not understand why Splunk is reordering the fields but you can manually reorder them with the fields command by specifying every field in the order that you desire.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
