Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to display nested tables?

amerineni
Loves-to-Learn
‎05-22-2020 01:06 PM

My events looks like this: REQUEST_NAME is the common field that ties both request and services.

LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1

I want to see if this display is possible in a table format. Thanks for the help.

XXXX       200                                                       SER1 200  
                                                                     SER2 200
                                                                     SER2 200
YYYY       300                                                       SER1 200
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-22-2020 03:11 PM 
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-22-2020 03:11 PM 
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...