Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to display nested tables?

amerineni
Loves-to-Learn
‎05-22-2020 01:06 PM

My events looks like this: REQUEST_NAME is the common field that ties both request and services.

LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1

I want to see if this display is possible in a table format. Thanks for the help.

XXXX       200                                                       SER1 200  
                                                                     SER2 200
                                                                     SER2 200
YYYY       300                                                       SER1 200
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-22-2020 03:11 PM 
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-22-2020 03:11 PM 
| makeresults
| eval _raw=" LogType=REQUEST status=200 REQUEST_NAME=XXXX              URI=REQ1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER1
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER2
 LogType=SERVICE status=200 REQUEST_NAME=XXXX              URI=SER3
 LogType=REQUEST status=200 REQUEST_NAME=YYYY              URI=REQ2
 LogType=SERVICE status=200 REQUEST_NAME=YYYY              URI=SER1"
 | multikv noheader=t 
 | fields _raw
 | kv
 | sort URI
 | where LogType="SERVICE"
 | stats list(URI) as URI list(status) as status by REQUEST_NAME

result:

REQUEST_NAME    URI status
XXXX    SER1    200
        SER2    200
        SER3    200
YYYY    SER1    200

what's 300 in your sample?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...