https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514657#M144464 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225135">@vinod0313</a>&nbsp;,<BR /><BR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>'s option is dynamic like that.&nbsp; You only need the part starting with <EM>| kv</EM><BR />The lines above were just to make up some sample data.<BR /><BR />You can change ABC to ACB or ACAB or whatever your data will have - only the ones with "true" as value will be listed. Give it a try <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />BR<BR />Ralph</P> Tue, 18 Aug 2020 09:48:07 GMT rnowitzki 2020-08-18T09:48:07Z https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514618#M144452 <P>Hello<BR /><BR />I have a log like this:<BR /><BR />ABC=true,DEF=false,GHI=false,JKL=true<BR /><BR /><BR />I want to show only ABC and JKL in the result,because these are having value as true.<BR /><BR />Result should be like below<BR /><BR /><BR /></P><P>ABC<BR />JKL</P> Tue, 18 Aug 2020 07:30:13 GMT https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514618#M144452 vinod0313 2020-08-18T07:30:13Z https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514623#M144454 <P>index=_internal | head 1 | fields _raw<BR />| eval _raw="ABC=true,DEF=false,GHI=false,JKL=true"<BR />| rename COMMENT as "this is sample"</P><P>| kv<BR />| eval col="1"<BR />| table col *<BR />| untable col field value<BR />| where value="true"</P> Tue, 18 Aug 2020 07:40:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514623#M144454 to4kawa 2020-08-18T07:40:54Z https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514653#M144461 <P>That is not a static log,it is dynamic log<BR /><BR />ABC=TRUE or FALSE depend upon Source The ABC value may differ&nbsp;<BR />so if the value of ABC=TRUE then we have to show ABC in result other wise No.</P> Tue, 18 Aug 2020 09:37:23 GMT https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514653#M144461 vinod0313 2020-08-18T09:37:23Z https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514657#M144464 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225135">@vinod0313</a>&nbsp;,<BR /><BR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>'s option is dynamic like that.&nbsp; You only need the part starting with <EM>| kv</EM><BR />The lines above were just to make up some sample data.<BR /><BR />You can change ABC to ACB or ACAB or whatever your data will have - only the ones with "true" as value will be listed. Give it a try <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />BR<BR />Ralph</P> Tue, 18 Aug 2020 09:48:07 GMT https://community.splunk.com/t5/Splunk-Search/Splunk/m-p/514657#M144464 rnowitzki 2020-08-18T09:48:07Z