Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display nested tables?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amerineni
Loves-to-Learn
05-22-2020
01:06 PM
My events looks like this: REQUEST_NAME is the common field that ties both request and services.
LogType=REQUEST status=200 REQUEST_NAME=XXXX URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY URI=SER1
I want to see if this display is possible in a table format. Thanks for the help.
XXXX 200 SER1 200
SER2 200
SER2 200
YYYY 300 SER1 200
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-22-2020
03:11 PM
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY URI=SER1"
| multikv noheader=t
| fields _raw
| kv
| sort URI
| where LogType="SERVICE"
| stats list(URI) as URI list(status) as status by REQUEST_NAME
result:
REQUEST_NAME URI status
XXXX SER1 200
SER2 200
SER3 200
YYYY SER1 200
what's 300 in your sample?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
05-22-2020
03:11 PM
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY URI=SER1"
| multikv noheader=t
| fields _raw
| kv
| sort URI
| where LogType="SERVICE"
| stats list(URI) as URI list(status) as status by REQUEST_NAME
result:
REQUEST_NAME URI status
XXXX SER1 200
SER2 200
SER3 200
YYYY SER1 200
what's 300 in your sample?
Get Updates on the Splunk Community!
Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More
Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...
Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)
Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...
Tech Talk | One Log to Rule Them All
One log to rule them all: how you can centralize your troubleshooting with Splunk logs
We know how important ...
