Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to display nested tables?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amerineni
Loves-to-Learn
05-22-2020
01:06 PM
My events looks like this: REQUEST_NAME is the common field that ties both request and services.
LogType=REQUEST status=200 REQUEST_NAME=XXXX URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY URI=SER1
I want to see if this display is possible in a table format. Thanks for the help.
XXXX 200 SER1 200
SER2 200
SER2 200
YYYY 300 SER1 200
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-22-2020
03:11 PM
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY URI=SER1"
| multikv noheader=t
| fields _raw
| kv
| sort URI
| where LogType="SERVICE"
| stats list(URI) as URI list(status) as status by REQUEST_NAME
result:
REQUEST_NAME URI status
XXXX SER1 200
SER2 200
SER3 200
YYYY SER1 200
what's 300 in your sample?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-22-2020
03:11 PM
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY URI=SER1"
| multikv noheader=t
| fields _raw
| kv
| sort URI
| where LogType="SERVICE"
| stats list(URI) as URI list(status) as status by REQUEST_NAME
result:
REQUEST_NAME URI status
XXXX SER1 200
SER2 200
SER3 200
YYYY SER1 200
what's 300 in your sample?
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
