Solved: Re: Is it possible to display the cleaner version ...

brooklynotss · ‎01-28-2016

I'm not sure what this part of the raw data UI view is called. See screen shot,

Ideally i'm looking to, on loading of the dashboard panel, only display the data as it looks in section 3 (only the Field and Value parts - don't need or want that Actions dropdown column). Section is 2 what you get out of the box, section 3 only appears if you click the toggle next to my number 1. Also ideally looking to do this in Simple XML. Any help appreciated.

Bigger picture is a dashboard that is a single reference for all data about the selected endpoint so I want to display the PC systeminfo like you see here, but also pull in a whole bunch of other data points. So it's a lot of text to display on a page and just looking to make it as clean as possible. I suspect I need to get into HTML for this but wanted to try here first.

MuS · ‎01-28-2016

I think the closest result could be this run everywhere example:

  index=_internal | stats values(*) AS * by _time | transpose | rename column AS field | rename "row *" AS value*

This will produce a table with a field field and some values1 fields

View solution in original post

wbcem · ‎03-02-2017

Here's a trick I've used now and again, the eval split function. If you have a reliable delimiter, you can split a string into a multi value field. A very handy aspect of multi value fields is that each portion of the multi value field will display on a separate line in the table cell. This is the equivalent of embedding newlines in the variable output.

MuS · ‎01-28-2016

I think the closest result could be this run everywhere example:

  index=_internal | stats values(*) AS * by _time | transpose | rename column AS field | rename "row *" AS value*

This will produce a table with a field field and some values1 fields

thunder_wu · ‎01-28-2016

This works great! Appreciate you sharing this trick.

Any quick way to filter out the default fields date_*, host, source, etc. I just want to present data fields extracted by myself. I know I can take them out one by one, just wonder if there is any short syntax to achieve that.

MuS · ‎01-28-2016

use after the first | a table command and list only the fields you need:

 index=_internal | table myfield1 myfield2 myfield3 | stats values(*) AS * by _time | transpose | rename column AS field | rename "row *" AS value*

somesoni2 · ‎01-28-2016

Can anyone see the attached image??

brooklynotss · ‎01-28-2016

weird - looks like it broke. I just re-attached it.

richgalloway · ‎01-28-2016

Use the table command to display the fields (columns) of interest.

---
If this reply helps you, Karma would be appreciated.

brooklynotss · ‎01-28-2016

but then it just displays a super long horizontal table with many columns and two rows. not sure how to turn each field-value pair into a row with two columns.

thunder_wu · ‎01-28-2016

I have the exact same need. Table view is not very user friendly.

Is it possible to display the cleaner version of raw data in a table or event panel

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?