Splunk Search

How do you display multiple column headers on a table?

Path Finder

hello everyone

I'd like to display multiple column headers on the table like the below image.

I can create the table, but the problem is the column headers.

It doesn't matter what color they are.

I'd like to make just two rows as a column header. And, I'd like to make three groups on the first column header row.

Please refer to attached image.

I'm waiting for your information.

Thank you in advance.

alt text

Path Finder


Tags (2)
0 Karma

Path Finder

Hello everyone, 

I tried doing the same, but unable to do so, can someone provide a guided approach.

@niketn @nplamondon @jkat54 

@to4kawa @martin_mueller 

0 Karma


Why not label your columns A1,A2,A3,A4,B1,B2,B3&B4

if someone must have double column headers, show them excel 

Path Finder

in my case, there is a table with 25 columns, I have frozen the first two columns using CSS, and used legends color codes to distinguish data. But, as we keep on adding columns need to define a common group for them.


Let's Say for example :

column A1,B1,C1  denote geographic details.

column D1.E1,F1 denotes the stats for Income (mean, median,mode)

column G1,H1 depicts the population ( 5 years ago, present)


all these require a common header.


I am open to showing these headers as separate panels and link both the tables.

Ultra Champion



index=_internal sourcetype=splunkd*
| bin span=1h _time
| stats count by _time source sourcetype
| eval source_sourcetype=sourcetype.": ".source
| xyseries _time source_sourcetype count


Why don't you try xyseries ?


| makeresults
| eval _raw=split("abcdefgh","")
| stats count by _raw
| streamstats count as session
| streamstats list(session) as count
| mvexpand count
| sort _raw - count
| stats list(count) as session by _raw
| fillnull a b c d e f g h
| eval tmp=split("abcdefgh","")
| foreach a b c d e f g h [ eval <<FIELD>> = mvindex(session, mvfind(tmp,"<<FIELD>>"))]
| fields - _raw tmp session

How else was I going to calculate the rest?

0 Karma

Path Finder



My table cannot have big headers, that's why I didn't use xyseries.

Colors, for now, are doing the work of distinguishing 

Moreover, I was thinking of adding another bar on top, but splunk's internal js and css are not allowing my table to go beyond 100% of the page, hence I cannot expand my other table to cover all the columns.


Total Columns as of now 25. out of which Market and the market unit is frozen.


When you want to Group Columns in a table together, do you have fixed no. of fields for each group? If not what is the logic for grouping? Can the logic be handled in code (SPL or JS)?

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


Hi @niketn 

I'm also looking for the similar requirement like in the below screenshot, I've to show counts for total and escalations. Please let me know if it is possible in Splunk with header and a sub-header. TIA




0 Karma


I like the colors approach!

0 Karma



This may help you, add row on top of the actual resultset row in your dashboard and span into 3 columns

  • <row><html><div><span>Group1</span>Group2<span>Group3</span><span></span></div></html></row>

Use html width property to span your Group1,2,3


0 Karma


I am pretty sure this is not possible in splunk. You can try looking on splunkbase to see if someone has made a table app that can do something like that, but I don't believe that is do-able out of the box.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...