I'd like to display multiple column headers on the table like the below image.
I can create the table, but the problem is the column headers.
It doesn't matter what color they are.
I'd like to make just two rows as a column header. And, I'd like to make three groups on the first column header row.
Please refer to attached image.
I'm waiting for your information.
Thank you in advance.
I am pretty sure this is not possible in splunk. You can try looking on splunkbase to see if someone has made a table app that can do something like that, but I don't believe that is do-able out of the box.
This may help you, add row on top of the actual resultset row in your dashboard and span into 3 columns
Use html width property to span your Group1,2,3
in my case, there is a table with 25 columns, I have frozen the first two columns using CSS, and used legends color codes to distinguish data. But, as we keep on adding columns need to define a common group for them.
Let's Say for example :
column A1,B1,C1 denote geographic details.
column D1.E1,F1 denotes the stats for Income (mean, median,mode)
column G1,H1 depicts the population ( 5 years ago, present)
all these require a common header.
I am open to showing these headers as separate panels and link both the tables.
index=_internal sourcetype=splunkd* | bin span=1h _time | stats count by _time source sourcetype | eval source_sourcetype=sourcetype.": ".source | xyseries _time source_sourcetype count
Why don't you try xyseries ?
| makeresults | eval _raw=split("abcdefgh","") | stats count by _raw | streamstats count as session | streamstats list(session) as count | mvexpand count | sort _raw - count | stats list(count) as session by _raw | fillnull a b c d e f g h | eval tmp=split("abcdefgh","") | foreach a b c d e f g h [ eval <<FIELD>> = mvindex(session, mvfind(tmp,"<<FIELD>>"))] | fields - _raw tmp session
How else was I going to calculate the rest?
My table cannot have big headers, that's why I didn't use xyseries.
Colors, for now, are doing the work of distinguishing
Moreover, I was thinking of adding another bar on top, but splunk's internal js and css are not allowing my table to go beyond 100% of the page, hence I cannot expand my other table to cover all the columns.
Total Columns as of now 25. out of which Market and the market unit is frozen.