Solved: Re: How to display nested tables?

amerineni · ‎05-22-2020

My events looks like this: REQUEST_NAME is the common field that ties both request and services.

LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1

I want to see if this display is possible in a table format. Thanks for the help.

XXXX       200                                                       SER1 200  
                                                                     SER2 200
                                                                     SER2 200
YYYY       300                                                       SER1 200

to4kawa · ‎05-22-2020

| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

View solution in original post

to4kawa · ‎05-22-2020

| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

How to display nested tables?

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials