https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672464#M230338 <P>Oh okay I just assumed it was a Splunk lookup. So if you are indexing the data from a CSV then you can probably do something like this (assuming field extractions are in place)<BR /><BR /></P><LI-CODE lang="markup">index=&lt;index&gt; sourcetype=&lt;sourcetype&gt; | table [ | makeresults | fields - _time | eval ID=[ | search index=&lt;index&gt; sourcetype=&lt;sourcetype&gt; | stats latest(ID) as ID | return $ID ], field_list_id_zero="NAME,STATUS,DATE,ACTION", field_list_id_positive="DATE-Changed,ID,NAME,DATE_DOWN,ACTION", final_field_list=if( 'ID'==0, 'field_list_id_zero', 'field_list_id_positive' ) | fields + final_field_list | return $final_field_list ]</LI-CODE><P>&nbsp;<BR />where &lt;index&gt; and &lt;sourcetype&gt; is where your CSV is being indexed.</P> Thu, 21 Dec 2023 00:24:57 GMT dtburrows3 2023-12-21T00:24:57Z https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672458#M230335 <P>Hello All,</P><P>I have a search question. I have a csv file that returnds data.</P><P>the ID field if there is no data - I want to have a table which shows 4 columns: NAME,STATUS,DATE,ACTION. These come from the csv file header line.</P><P>If the ID &gt;0 I want to show these columns: DATE-Changed,ID,NAME,DATE_DOWN,ACTION. I have not yet seen how I might do this. What I need, in a sense, it two searches, one when ID=0, and one when ID&gt;0. Any suggestions?</P><P>&nbsp;</P><P>Thanks,</P><P>EWHOLZ</P> Wed, 20 Dec 2023 23:21:26 GMT https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672458#M230335 eholz1 2023-12-20T23:21:26Z https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672462#M230336 <P>Not sure exactly how your ID value is being derived in this situation but you may be able to utilize a subsearch holding you list of fields for each scenario and then set up an eval if() function to determine which to use based on the value in the ID field. Then with a return command you can return that conditional field list back into the parent search after a fields command.<BR /><BR />Something like this.<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup &lt;lookup&gt; | fields [ | makeresults | fields - _time | eval ``` Not sure how the ID is being derived but there should be a variety of ways to get it here ``` ``` From lookup method ``` ``` ID=[ | inputlookup &lt;lookup&gt; | stats max(ID) as ID | return $ID ] ``` ``` From token method ``` ``` ID=$ID_token$ ``` ``` This is hardcoded for a POC ``` ID=1, field_list_id_zero="NAME,STATUS,DATE,ACTION", field_list_id_positive="DATE-Changed,ID,NAME,DATE_DOWN,ACTION", final_field_list=if( 'ID'==0, 'field_list_id_zero', 'field_list_id_positive' ) | fields + final_field_list | return $final_field_list ]</LI-CODE><P>&nbsp;</P><P>&nbsp;<BR />Sample output when ID=0</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_0-1703115959337.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28615iD038F8C08F54EAA1/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_0-1703115959337.png" alt="dtburrows3_0-1703115959337.png" /></span></P><P>Sample output when ID&gt;0</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_1-1703116011254.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28616i04963DACBEDF93D9/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_1-1703116011254.png" alt="dtburrows3_1-1703116011254.png" /></span><BR /><BR /><BR /></P><P>&nbsp;</P> Wed, 20 Dec 2023 23:52:48 GMT https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672462#M230336 dtburrows3 2023-12-20T23:52:48Z https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672463#M230337 <P>dtbur;rows3</P><P>Wow, fast reply. Thanks. The ID gets set when the csv file is written. I have a python program that queries a MySQL database, and writes a "0" as ID if no results are returned from the query. If there is data returned, the ID is taken from query results (i.e ID=34, etc). The csv file is on a remote server. I use the Splunk Universal Forwarder to send the file to splunk. Is there a way to get this file set as an "input lookup" or does the "input lookupo" required the file to be local to the Splunk server?</P><P>Thanks for quick help.</P><P>EWHolz</P> Thu, 21 Dec 2023 00:07:51 GMT https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672463#M230337 eholz1 2023-12-21T00:07:51Z https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672464#M230338 <P>Oh okay I just assumed it was a Splunk lookup. So if you are indexing the data from a CSV then you can probably do something like this (assuming field extractions are in place)<BR /><BR /></P><LI-CODE lang="markup">index=&lt;index&gt; sourcetype=&lt;sourcetype&gt; | table [ | makeresults | fields - _time | eval ID=[ | search index=&lt;index&gt; sourcetype=&lt;sourcetype&gt; | stats latest(ID) as ID | return $ID ], field_list_id_zero="NAME,STATUS,DATE,ACTION", field_list_id_positive="DATE-Changed,ID,NAME,DATE_DOWN,ACTION", final_field_list=if( 'ID'==0, 'field_list_id_zero', 'field_list_id_positive' ) | fields + final_field_list | return $final_field_list ]</LI-CODE><P>&nbsp;<BR />where &lt;index&gt; and &lt;sourcetype&gt; is where your CSV is being indexed.</P> Thu, 21 Dec 2023 00:24:57 GMT https://community.splunk.com/t5/Splunk-Search/Change-table-columns-based-on-field-value/m-p/672464#M230338 dtburrows3 2023-12-21T00:24:57Z