Dashboards & Visualizations

Is it possible to display the cleaner version of raw data in a table or event panel

Path Finder

I'm not sure what this part of the raw data UI view is called. See screen shot, alt text

Ideally i'm looking to, on loading of the dashboard panel, only display the data as it looks in section 3 (only the Field and Value parts - don't need or want that Actions dropdown column). Section is 2 what you get out of the box, section 3 only appears if you click the toggle next to my number 1. Also ideally looking to do this in Simple XML. Any help appreciated.

Bigger picture is a dashboard that is a single reference for all data about the selected endpoint so I want to display the PC systeminfo like you see here, but also pull in a whole bunch of other data points. So it's a lot of text to display on a page and just looking to make it as clean as possible. I suspect I need to get into HTML for this but wanted to try here first.

1 Solution

SplunkTrust
SplunkTrust

I think the closest result could be this run everywhere example:

  index=_internal | stats values(*) AS * by _time | transpose | rename column AS field | rename "row *" AS value*

This will produce a table with a field field and some values1 fields

View solution in original post

Explorer

Here's a trick I've used now and again, the eval split function. If you have a reliable delimiter, you can split a string into a multi value field. A very handy aspect of multi value fields is that each portion of the multi value field will display on a separate line in the table cell. This is the equivalent of embedding newlines in the variable output.

0 Karma

SplunkTrust
SplunkTrust

I think the closest result could be this run everywhere example:

  index=_internal | stats values(*) AS * by _time | transpose | rename column AS field | rename "row *" AS value*

This will produce a table with a field field and some values1 fields

View solution in original post

Path Finder

This works great! Appreciate you sharing this trick.

Any quick way to filter out the default fields date_*, host, source, etc. I just want to present data fields extracted by myself. I know I can take them out one by one, just wonder if there is any short syntax to achieve that.

0 Karma

SplunkTrust
SplunkTrust

use after the first | a table command and list only the fields you need:

 index=_internal | table myfield1 myfield2 myfield3 | stats values(*) AS * by _time | transpose | rename column AS field | rename "row *" AS value*

Revered Legend

Can anyone see the attached image??

0 Karma

Path Finder

weird - looks like it broke. I just re-attached it.

0 Karma

SplunkTrust
SplunkTrust

Use the table command to display the fields (columns) of interest.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

but then it just displays a super long horizontal table with many columns and two rows. not sure how to turn each field-value pair into a row with two columns.

0 Karma

Path Finder

I have the exact same need. Table view is not very user friendly.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!