Dashboards & Visualizations

How to create a table?

anissabnk
Path Finder

Hello everyone, I have a question for you

 

I have this table :

anissabnk_0-1679417130483.png

 

But , I want to have first :

- the evenement Dépôt

in the second line :

the evenement Pré-contrôle

 

anissabnk_1-1679417156988.png

I don't know how to do this.

Can you help me please.

Labels (2)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

| eval sortorder=case(evenement=="Dépôt",1,evenement=="Pré-contrôle",2)
| sort 0 sortorder
| fields - sortorder

 

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can't have "subrows" in Splunk. You can have multivalued fields but they are independent from each other (i.e. you can't sort values in one of them based on order of values in another field). So if that's what you want to do, it won't work that way. Splunk is not Excel 😉

0 Karma

anissabnk
Path Finder

So, how can I do, to have the order tha I mentioned ?

Thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If the order of the events in the table is important to you, you need to provide / create a field with a value that can be sorted to give the order you desire. You can remove this field after the sort if you wish.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

@ITWhisperer I think you're talking about other thing that I do.

What I meant was that while Splunk can happily deal with data in form of

Col1 val1Col2 val1Col3 val1Col4 val1...
Col1 val1Col2 val2Col3 val2Col4 val2...
Col1 val1Col2 val3Col3 val3Col4 val3

...

 

If you have separate rows, even if the value in first column is the same but repeated in several rows, we can handle that easily since each row is separate and you can reorder the results and make sense of it. But if you have it like that:

Col1 val1

Col2 val1
Col2 val2
Col2 val3

Col3 val1
Col3 val2
Col3 val3
Col4 val1
Col4 val2
Col4 val3

...

 

In this case you have separate columns which contain multivalued fields. Each column is just one aggregate result field. So sorting - for example - column 2 would not change order of column 3.

Splunk has no way of "partially aggregating" separate results while keeping other parts of the result rows separate.

That's what I was talking about. You can process the results like in the first table but then aggregate some rows into a single row to present them like in the second table but it has its caveats.


1) As I said - there is no relation between values in separate rows so you might format them to look like "rows" but they are not rows internally, so you can't - for example - select a set from one "subrow" to pivot to.

2) If your original values contain empty spaces Splunk will be happy to compress them in your results so you might get something like that:

Col1 val1

Col2 val1
Col2 val3

Col3 val1
Col3 val2
Col3 val3
Col4 val3

...

 

0 Karma

anissabnk
Path Finder

Can you share with me an example of the spl request please

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| eval sortorder=case(evenement=="Dépôt",1,evenement=="Pré-contrôle",2)
| sort 0 sortorder
| fields - sortorder

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...