Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display different tables in a dashboard based on different conditions ?

chris7535
Engager
‎05-21-2019 07:06 AM

I have a dashboard that let's users enter in the type of events they want to search for. Every type of event returns a different set of fields which is then displayed in a table. Since the final output is a single table I have to account for every possible field that may generate from all events, if a field does not apply to a event I used eval to set the value for that field to "not applicable".

Is there a way to show a different table (with different fields) depending on a condition that is selected ? I would have imaged that just using this at the end would do the job but no, instead only the first eval is evaluated.

             | eval ShowTable = if(EventCode=="1")   | table  Time,Host,DN,Status
             | eval ShowTable = if(EventCode=="2")   | table  Time,Host,PN,Value
             | eval ShowTable = if(EventCode=="3")   | table  Time,Host,Action,Status
Tags (1)
Reply

DavidHourani
Super Champion
‎05-21-2019 11:29 PM

Hi @chris7535,

Using the query you posted above after the first tablecommand you no longer have the EventCode fields not the Values or Action field so the other evals will do nothing and the tables as well.

If you want to control the way a dashboard or table is presented based on a token you need to use conditional tokens as shown here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/tokens
And here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/ContextualDrilldown#Configure_conditional_beh...

Let me know if that helps.

Cheers,
David

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...