Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Trouble tabling email details

hawkeyesc72
Engager
yesterday

I want to build a small dashboard that offers a quick view into emails a user has recently received. If I use this, I can get the sender address tabled properly:
(1).    index=office365
          | table P1Sender
          | search P1Sender=*


If I use this, I can get recipient count, recipient names and subject tabled properly:

(2).     index=office365
            | table Item.RecipientsCount, Item.Recipients{}.Name, Item.Subject
            | search Item.Recipients{}.Name=*, Item.Subject=*

My problem is I cannot get them tabled together in the same results view. If I try and add P1Sender to the (2) SPL table, I get an empty column. If I add P1Sender=* to the (2) search statement I get 0 results in every column.

Any advice? Screenshots of SPL and results in replies.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
4 hours ago

Your events do not have values for P1Sender at the same time as values for the other fields you are searching on. You need to find a field that has corresponding values in both sets of events so you can correlate the data. As @PickleRick says, we have no idea what your data looks like!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
yesterday

Ok. From the top.

1. What does your data look like? We have no idea what is in your events. From our point of view the info might simply not be available within the same events.

2. As a rule of thumb the table command should not be used anywhere else but at the very end of your search to transform your results to... well, a table for presentation purposes. It's not meant to be used mid-search.

Point 2 is a "good practice" remark but probably it's because of p.1 - your data itself.

0 Karma
Reply

hawkeyesc72
Engager
yesterday

Screenshot 2026-05-06 at 16.19.46.png

 Adding P1Sender to search statement blocks everything and nothing gets returned.

0 Karma
Reply

hawkeyesc72
Engager
yesterday

Screenshot 2026-05-06 at 16.20.09.png

 Recipient count, recipient names and subject all work as well. But trying to add in P1Sender, nothing happens.

0 Karma
Reply

hawkeyesc72
Engager
yesterday

Screenshot 2026-05-06 at 16.18.27.png

P1Sender by itself works. I blocked out most of the information for privacy reasons. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...