The answer is always YES with Splunk 😀 and often there is more than one way to achieve the same result. Here is an example with your data setup (note that in your data example, your C2/C sum is shown as '3' in the right table, however, from the data in the left, it should be 4, right? | makeresults | eval _raw="Class,name,number C1,A,1 C1,B,2 C2,C,1 C1,A,1 C1,B,2 C2,C,3" | multikv forceheader=1 | table Class,name,number | stats sum(number) as sum by Class name | addcoltotals labelfield="Class" | appendpipe [ | stats sum(sum) as sum by Class ] so in this example, up to multikv is setting up the sample data from your left hand table, then: the first stats sum... is calculating the totals by Class/name to give you 3 rows. Then addcoltotals is giving the total for those 3 rows. After that the appendpipe/stats is then calculating the totals for each class based on the values of those 3 rows. Hope this helps.   ... View more

To use untable to add an extra dimension, you would need to combine the fields forming the left hand item, like this | makeresults | eval _raw="ID,Class,A,B,C 1122,C1,1,2,5 1144,C2,2,3,5 1155,C3,1,9,4" | multikv forceheader=1 ``` This is your table A ``` | eval ID=ID.":".Class | table ID A B C ``` Now convert to your table B ``` | untable ID pick number | rex field=ID "(?<ID>[^:]*):(?<Class>.*)" | table ID Class pick number which is creating the ID fields as ID+":"+Class and then untabling and then splitting back out the Class after the untable. There would be other ways to do the same thing in Splunk - there is always more than one way... Here is another way to do it with the additional class field | makeresults | eval _raw="ID,Class,A,B,C 1122,C1,1,2,5 1144,C2,2,3,5 1155,C3,1,9,4" | multikv forceheader=1 ``` This is your table A ``` | table ID Class A B C ``` Now combine all the row values to a single field 'Values' and remove the original fields ``` | eval Values=mvappend(A, B, C) | fields - A B C ``` and now expand those values ``` | mvexpand Values ... View more