Not able to render a Splunk Table for events

Question

I am currently writing a Splunk Query to pull a report over the events and I am using this now to do it and it has to be using table only

index=1234 source="/apps/logs/*.log" AND "logType=API_RESPONSE"
| spath input=request
| spath input=response
| rename body.data.Item1 as Item1
| rename body.data.Item2 as Item2
| rename body.data.Item3 as Item3
| stats  count by URI   
| rename  count as NumberofTimes_Called_URI, URI as URI_Called
| table  Item1,Item2,Item3

Prerequisites

1. The API_RESPONSE is a JSON response
2. Item1, Item2, and Item3 are JSON fields in response.

Issue: Not able to render the Splunk table in the statistics for this part

| stats  count by URI   
| rename  count as NumberofTimes_Called_URI, URI as URI_Called

individually the above is working but when i combine and render the table it's not working.

Please help me fix this problem.

Answer 1

"It's not working" is not a problem description, but I'm guessing you are getting all nulls in the results table. That's because stats is a transforming command so the only fields available after it are those used in it, namely count and URI.

Since table (also a transforming command) only displays Item1, Item2, and Item3, there is no need for stats or rename.

If you intend to add count and URI to the table then replace stats with eventstats, which is not transforming.

index=1234 source="/apps/logs/*.log" AND "logType=API_RESPONSE"
| spath input=request
| spath input=response
| rename body.data.Item1 as Item1
| rename body.data.Item2 as Item2
| rename body.data.Item3 as Item3
| eventstats  count as NumberofTimes_Called_URI by URI   
| rename URI as URI_Called
| table  Item1,Item2,Item3, URI, NumberofTimes_Called_URI