https://community.splunk.com/t5/Splunk-Search/Create-a-table-with-different-fields-depending-if-their-values/m-p/581910#M202704 <P>I have a raw where each event looks like this (simplified for this exampel):<BR /><SPAN>{"</SPAN><SPAN class="">time</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">2022-01-20</SPAN> <SPAN class="">16:40:02.325216</SPAN><SPAN>", "</SPAN><SPAN class="">name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">name1</SPAN><SPAN>", "</SPAN><SPAN class="">deployment</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">found</SPAN><SPAN>", "secret</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">correct</SPAN><SPAN>"}<BR /></SPAN></P><P><SPAN>If "deployment": "not_found",&nbsp;</SPAN>I would like to have a table like:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">time</TD><TD width="33.333333333333336%">name</TD><TD width="33.333333333333336%">deployment</TD></TR><TR><TD width="33.333333333333336%"><SPAN class="">2022-01-20</SPAN> <SPAN class="">16:40:02.325216</SPAN></TD><TD width="33.333333333333336%"><SPAN class="">name1</SPAN></TD><TD width="33.333333333333336%"><SPAN class=""><SPAN>not_found</SPAN></SPAN></TD></TR></TBODY></TABLE><P><SPAN class=""><SPAN><BR />If "secret": "incorrect",&nbsp;I would like to have a table like:<BR /></SPAN></SPAN></P><TABLE border="1"><TBODY><TR><TD width="226.766px" height="25px">time</TD><TD width="226.766px" height="25px">name</TD><TD width="226.766px" height="25px">secret</TD></TR><TR><TD width="226.766px" height="25px"><SPAN class="">2022-01-20</SPAN> <SPAN class="">16:40:02.325216</SPAN></TD><TD width="226.766px" height="25px"><SPAN class="">name1</SPAN></TD><TD width="226.766px" height="25px"><SPAN class=""><SPAN>incorrect</SPAN></SPAN></TD></TR></TBODY></TABLE><P><SPAN class=""><SPAN>&nbsp;</SPAN></SPAN></P><P><SPAN class=""><SPAN>Currently, my search looks like this:<BR /></SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="python">index=index host=host source=source ("not_found" OR "incorrect") | table time name deployment secret</LI-CODE><P>&nbsp;</P><P><SPAN class=""><SPAN>But this means that both fields (deployment and secret) will be shown no matter what their value is.<BR /></SPAN></SPAN></P><P><SPAN class=""><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59">@Ayn</a>&nbsp;Is there a way to have a table which varies its fields depending on a certain condition?<BR /><BR /></SPAN></SPAN><SPAN class=""><SPAN>Thanks in advance!&nbsp;</SPAN></SPAN></P> Thu, 20 Jan 2022 16:00:46 GMT andres 2022-01-20T16:00:46Z https://community.splunk.com/t5/Splunk-Search/Create-a-table-with-different-fields-depending-if-their-values/m-p/581910#M202704 <P>I have a raw where each event looks like this (simplified for this exampel):<BR /><SPAN>{"</SPAN><SPAN class="">time</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">2022-01-20</SPAN> <SPAN class="">16:40:02.325216</SPAN><SPAN>", "</SPAN><SPAN class="">name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">name1</SPAN><SPAN>", "</SPAN><SPAN class="">deployment</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">found</SPAN><SPAN>", "secret</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN> "</SPAN><SPAN class="">correct</SPAN><SPAN>"}<BR /></SPAN></P><P><SPAN>If "deployment": "not_found",&nbsp;</SPAN>I would like to have a table like:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">time</TD><TD width="33.333333333333336%">name</TD><TD width="33.333333333333336%">deployment</TD></TR><TR><TD width="33.333333333333336%"><SPAN class="">2022-01-20</SPAN> <SPAN class="">16:40:02.325216</SPAN></TD><TD width="33.333333333333336%"><SPAN class="">name1</SPAN></TD><TD width="33.333333333333336%"><SPAN class=""><SPAN>not_found</SPAN></SPAN></TD></TR></TBODY></TABLE><P><SPAN class=""><SPAN><BR />If "secret": "incorrect",&nbsp;I would like to have a table like:<BR /></SPAN></SPAN></P><TABLE border="1"><TBODY><TR><TD width="226.766px" height="25px">time</TD><TD width="226.766px" height="25px">name</TD><TD width="226.766px" height="25px">secret</TD></TR><TR><TD width="226.766px" height="25px"><SPAN class="">2022-01-20</SPAN> <SPAN class="">16:40:02.325216</SPAN></TD><TD width="226.766px" height="25px"><SPAN class="">name1</SPAN></TD><TD width="226.766px" height="25px"><SPAN class=""><SPAN>incorrect</SPAN></SPAN></TD></TR></TBODY></TABLE><P><SPAN class=""><SPAN>&nbsp;</SPAN></SPAN></P><P><SPAN class=""><SPAN>Currently, my search looks like this:<BR /></SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="python">index=index host=host source=source ("not_found" OR "incorrect") | table time name deployment secret</LI-CODE><P>&nbsp;</P><P><SPAN class=""><SPAN>But this means that both fields (deployment and secret) will be shown no matter what their value is.<BR /></SPAN></SPAN></P><P><SPAN class=""><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59">@Ayn</a>&nbsp;Is there a way to have a table which varies its fields depending on a certain condition?<BR /><BR /></SPAN></SPAN><SPAN class=""><SPAN>Thanks in advance!&nbsp;</SPAN></SPAN></P> Thu, 20 Jan 2022 16:00:46 GMT https://community.splunk.com/t5/Splunk-Search/Create-a-table-with-different-fields-depending-if-their-values/m-p/581910#M202704 andres 2022-01-20T16:00:46Z https://community.splunk.com/t5/Splunk-Search/Create-a-table-with-different-fields-depending-if-their-values/m-p/581995#M202731 <P>A table can have only one set of headings.&nbsp; You can combine two columns into one using <FONT face="courier new,courier">coalesce</FONT>.&nbsp; For example, this query will create a 3-column table with either deployment or secret in column3.&nbsp; The trick for the reader, however, is to determine which it is.</P><LI-CODE lang="markup">index=index host=host source=source ("not_found" OR "incorrect") | eval column3 = coalesce(deployment, secret) | rename column3 as "deployment or secret" | table time name "deployment or secret"</LI-CODE><P>&nbsp;</P> Fri, 21 Jan 2022 13:26:04 GMT https://community.splunk.com/t5/Splunk-Search/Create-a-table-with-different-fields-depending-if-their-values/m-p/581995#M202731 richgalloway 2022-01-21T13:26:04Z https://community.splunk.com/t5/Splunk-Search/Create-a-table-with-different-fields-depending-if-their-values/m-p/582086#M202761 <P>See if something like this works for you.</P><LI-CODE lang="markup">index=index host=host source=source ("not_found" OR "incorrect") | table time name deployment secret | eval metric=if(deployment="not found", "deployment", "secret") | eval val=if(deployment="not found", "not found", "incorrect") | table time name metric val | eval {metric}=val | fields - metric val</LI-CODE> Fri, 21 Jan 2022 19:24:10 GMT https://community.splunk.com/t5/Splunk-Search/Create-a-table-with-different-fields-depending-if-their-values/m-p/582086#M202761 somesoni2 2022-01-21T19:24:10Z