https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657987#M227274 <P>Does it always start with "<SPAN>awswaf:managed"? Or is there some other way to recognise the part you want displayed?</SPAN></P> Tue, 19 Sep 2023 11:43:24 GMT ITWhisperer 2023-09-19T11:43:24Z https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657981#M227271 <P>I have an output&nbsp;of</P> <P>&nbsp;</P> <P>index=feds&nbsp; | fillnull value="" | table httpRequest.clientIp labels{}.name</P> <DIV class="">awswaf:clientip:geo:country:US</DIV> <DIV class="">awswaf:managed:token:absent</DIV> <DIV class="">awswaf:clientip:geo:region:US-IL</DIV> <DIV class="">awswaf:managed:aws:bot-control:signal:non_browser_user_agent</DIV> <DIV class="">&nbsp;</DIV> <DIV class=""> <DIV class="">wswaf:clientip:geo:country:US</DIV> <DIV class="">awswaf:managed:token:absent</DIV> <DIV class="">awswaf:clientip:geo:region:US-IL</DIV> <DIV class="">awswaf:managed:aws:bot-control:signal:non_browser_user_agent</DIV> <DIV class="">&nbsp;</DIV> <DIV class=""> <DIV class="">wswaf:clientip:geo:country:US</DIV> <DIV class="">awswaf:managed:token:absent</DIV> <DIV class="">awswaf:clientip:geo:region:US-IL</DIV> <DIV class="">awswaf:managed:aws:bot-control:signal:non_browser_user_agent</DIV> </DIV> </DIV> <DIV class="">&nbsp;</DIV> <DIV class="">But need to filter <STRONG>"awswaf:managed:aws:bot-control:signal:non_browser_user_agent"</STRONG> on Table output and see the results only on&nbsp;<STRONG>"awswaf:managed:aws:bot-control:signal:non_browser_user_agent"</STRONG></DIV> Wed, 20 Sep 2023 18:51:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657981#M227271 RahulMisra 2023-09-20T18:51:46Z https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657982#M227272 <P>If it is always the last item of a multivalue field, you could try something like this</P><LI-CODE lang="markup">index=feds | fillnull value="" | table httpRequest.clientIp labels{}.name | rename "labels{}.name" as name | eval name=mvindex(name, -1)</LI-CODE> Tue, 19 Sep 2023 10:49:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657982#M227272 ITWhisperer 2023-09-19T10:49:51Z https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657986#M227273 <P>not always the last <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Tue, 19 Sep 2023 11:41:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657986#M227273 RahulMisra 2023-09-19T11:41:38Z https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657987#M227274 <P>Does it always start with "<SPAN>awswaf:managed"? Or is there some other way to recognise the part you want displayed?</SPAN></P> Tue, 19 Sep 2023 11:43:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657987#M227274 ITWhisperer 2023-09-19T11:43:24Z https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657988#M227275 <P>Always with that String</P> Tue, 19 Sep 2023 11:47:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/657988#M227275 RahulMisra 2023-09-19T11:47:59Z https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/658016#M227284 <P>You could try extracting just that part from your events. If you want help doing that, you should share some raw events in a code block &lt;/&gt; to preserve formatting.</P> Tue, 19 Sep 2023 15:13:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Filter-Table-Output/m-p/658016#M227284 ITWhisperer 2023-09-19T15:13:52Z