Skip to content
SPL // Splunk

Using the untable Command

KGI Avatar

Written by: Eric Holsinger | Last Updated:

February 2, 2024
Splunk Search Command Of The Week: untable

Originally Published:

January 31, 2024

Splunk untable Command

In the dynamic realm of data analysis, Splunk stands out as a powerful tool for extracting insights from machine-generated data. Splunk commands play a crucial role in this process, and one such command that proves invaluable is untable. In this blog post, we will delve into the intricacies of the untable command, explore its purpose, benefits, and various use cases.

What is the untable Command?

The untable command in Splunk is designed to transform tabular data into individual events. Essentially, it takes data that has been structured into tables and converts it back into its original, granular format, making it easier to analyze and visualize.

This command is particularly useful when dealing with data that has been aggregated or summarized, and you need to drill down into the details. By “un-tabling” the data, you can regain a more fine-grained perspective, unlocking deeper insights.

Benefits of the untable Command

  • Granular Analysis: The primary benefit of the untable command is the ability to perform granular analysis on aggregated data. It allows you to break down summarized information into individual events, enabling a more detailed exploration of your data.
  • Enhanced Visualization: When dealing with large datasets, visualizations become more insightful when data is in its raw form by providing more context around the data. The untable command facilitates better visualization by providing access to the original, detailed events.
  • Improved Troubleshooting: In scenarios where issues need to be identified and resolved, the untable command proves invaluable. By reverting aggregated data to its raw format, you gain a clearer view of individual events, making it easier to pinpoint and troubleshoot problems.

Use Cases for untable

SCENARIO #1: Security Analysis

					index=wineventlog EventCode=4625
| stats count by user, _time
| untable user, src_ip count


In this example, assume you have wineventlogs that summarize failed login attempts. The untable command is used to revert the aggregated count back into individual events, providing a detailed view of failed login attempts per user and time.

SCENARIO #2: User Behavior Analysis

| stats count by user, page_visited
| untable user page_visited count

In this use case, web logs are summarized to show the count of visits to different pages by users. The untable command is utilized to revert this summary and provide a detailed view of each visit, enabling a more in-depth analysis of user behavior on specific pages.


The untable command emerges as an asset for data analysts and administrators seeking to extract meaningful insights from aggregated data. Its ability to revert summarized data back to its detailed form provides a powerful tool for granular analysis, troubleshooting, and enhanced visualization.

By incorporating the untable command into your Splunk queries, you can unlock the full potential of your data, revealing nuances that might be overlooked. No matter your focus, untable can empower you to explore your data at a deeper level, making your Splunk experience even more powerful and insightful.

Helpful? Don't forget to share this post!