Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display nested tables?

amerineni
Loves-to-Learn
‎05-22-2020 01:06 PM

My events looks like this: REQUEST_NAME is the common field that ties both request and services.

LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1

I want to see if this display is possible in a table format. Thanks for the help.

XXXX       200                                                       SER1 200  
                                                                     SER2 200
                                                                     SER2 200
YYYY       300                                                       SER1 200
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-22-2020 03:11 PM 
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-22-2020 03:11 PM 
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...