Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating a SubHeading in Splunk

mahbs
Path Finder
‎12-04-2017 05:43 AM

Hi,

How do I go about creating a subheading in splunk. My table is in the following format:

         Date1            Date2
ITEM | DIFF | DIFF2   | DIFF | DIFF2

Essentially, I have data for DIFF and DIFF2 for day 1, and then the same for day2.

Currently, It's like this:

ITEM| DIFF | DIFF2 | DIFF | DIFF2 | Date
                                   04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017
                                                               04/12/2017

Can someone help me with this please or direct me to an alternative solution to this problem?

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-04-2017 06:02 PM

Edit your post and reformat the text so that the alignment is correct and maybe we can understand what you need.

0 Karma
Reply

somesoni2
Revered Legend
‎12-04-2017 11:17 AM

Splunk doesn't support sub heading/2nd row column in headers. One thing you can try will be to add the date into the column names so that you can differentiate the columns by date. Like this (the regular expression on rex command was truncated, make sure you select Splunk query and press Ctrl+K to format the code next time).

source=* host="xxx" sourcetype="csv" | rex field=source "(?:[^_]_){2}(?.*).txt"| chart list(ITEM) as items list(SOH_DIFF) as soh_diff list(UNAVAILABLE_QTY_DIFF) as uqd by sourcetype date |table* items, *soh_diff,*uqd
0 Karma
Reply

mahbs
Path Finder
‎12-05-2017 12:46 AM

Thank you! It worked

0 Karma
Reply

niketn
Legend
‎12-05-2017 02:02 AM

@mahbs, please accept the answer to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎12-04-2017 06:15 AM

@mahbs, can you add screenshot for expected output and also your current query?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mahbs
Path Finder
‎12-04-2017 07:44 AM

I'm not able to because I don't have enough points. This is my current query:
source=* host="xxx" sourcetype="csv" | rex field=source "(?:[^_]_){2}(?.).txt"| stats list(ITEM) as items list(SOH_DIFF) as soh_diff list(UNAVAILABLE_QTY_DIFF) as uqd by date |table items, soh_diff,uqd,date

The output is numerical values.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...