How to display different tables in a dashboard bas...

chris7535 · ‎05-21-2019

I have a dashboard that let's users enter in the type of events they want to search for. Every type of event returns a different set of fields which is then displayed in a table. Since the final output is a single table I have to account for every possible field that may generate from all events, if a field does not apply to a event I used eval to set the value for that field to "not applicable".

Is there a way to show a different table (with different fields) depending on a condition that is selected ? I would have imaged that just using this at the end would do the job but no, instead only the first eval is evaluated.

             | eval ShowTable = if(EventCode=="1")   | table  Time,Host,DN,Status
             | eval ShowTable = if(EventCode=="2")   | table  Time,Host,PN,Value
             | eval ShowTable = if(EventCode=="3")   | table  Time,Host,Action,Status

DavidHourani · ‎05-21-2019

Hi @chris7535,

Using the query you posted above after the first tablecommand you no longer have the EventCode fields not the Values or Action field so the other evals will do nothing and the tables as well.

If you want to control the way a dashboard or table is presented based on a token you need to use conditional tokens as shown here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/tokens
And here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/ContextualDrilldown#Configure_conditional_beh...

Let me know if that helps.

Cheers,
David

How to display different tables in a dashboard based on different conditions ?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!