Assuming that the CSV fields are known to Splunk in the manner you state;
...| eval full_type = type . "(" . subtype . ")" | table full_type, name, sal
As you can see, this is a quite simple operation (just doing some string manipulation, and then tabulating it). Like jonuwz and Ayn says, please provide more complex data, if this solution is not good enough.
Hope this helps,
Kristian
Assuming that the CSV fields are known to Splunk in the manner you state;
...| eval full_type = type . "(" . subtype . ")" | table full_type, name, sal
As you can see, this is a quite simple operation (just doing some string manipulation, and then tabulating it). Like jonuwz and Ayn says, please provide more complex data, if this solution is not good enough.
Hope this helps,
Kristian
Please show us what the desired output would be in that more complex scenario.
my event is CSV and i want output in a table. Yes please assume that there are more events with multiple types and sub types
The sample output you require is just reformatting the event data you already have - there's no joins or group by.
Perhaps you could give a sample output when there is more than one of human(male) and/or more than one of human(female)