Dashboards & Visualizations

How to create a table?

anissabnk
Path Finder

Hello everyone, I have a question for you

 

I have this table :

anissabnk_0-1679417130483.png

 

But , I want to have first :

- the evenement Dépôt

in the second line :

the evenement Pré-contrôle

 

anissabnk_1-1679417156988.png

I don't know how to do this.

Can you help me please.

Labels (2)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

| eval sortorder=case(evenement=="Dépôt",1,evenement=="Pré-contrôle",2)
| sort 0 sortorder
| fields - sortorder

 

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can't have "subrows" in Splunk. You can have multivalued fields but they are independent from each other (i.e. you can't sort values in one of them based on order of values in another field). So if that's what you want to do, it won't work that way. Splunk is not Excel 😉

0 Karma

anissabnk
Path Finder

So, how can I do, to have the order tha I mentioned ?

Thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If the order of the events in the table is important to you, you need to provide / create a field with a value that can be sorted to give the order you desire. You can remove this field after the sort if you wish.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

@ITWhisperer I think you're talking about other thing that I do.

What I meant was that while Splunk can happily deal with data in form of

Col1 val1Col2 val1Col3 val1Col4 val1...
Col1 val1Col2 val2Col3 val2Col4 val2...
Col1 val1Col2 val3Col3 val3Col4 val3

...

 

If you have separate rows, even if the value in first column is the same but repeated in several rows, we can handle that easily since each row is separate and you can reorder the results and make sense of it. But if you have it like that:

Col1 val1

Col2 val1
Col2 val2
Col2 val3

Col3 val1
Col3 val2
Col3 val3
Col4 val1
Col4 val2
Col4 val3

...

 

In this case you have separate columns which contain multivalued fields. Each column is just one aggregate result field. So sorting - for example - column 2 would not change order of column 3.

Splunk has no way of "partially aggregating" separate results while keeping other parts of the result rows separate.

That's what I was talking about. You can process the results like in the first table but then aggregate some rows into a single row to present them like in the second table but it has its caveats.


1) As I said - there is no relation between values in separate rows so you might format them to look like "rows" but they are not rows internally, so you can't - for example - select a set from one "subrow" to pivot to.

2) If your original values contain empty spaces Splunk will be happy to compress them in your results so you might get something like that:

Col1 val1

Col2 val1
Col2 val3

Col3 val1
Col3 val2
Col3 val3
Col4 val3

...

 

0 Karma

anissabnk
Path Finder

Can you share with me an example of the spl request please

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| eval sortorder=case(evenement=="Dépôt",1,evenement=="Pré-contrôle",2)
| sort 0 sortorder
| fields - sortorder

 

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...