Re: dashboard studio column formatting array

Skins · ‎02-13-2023

I'm looking to add some column formatting to some table in dashboard studio - but the option is greyed out saying the column is an array, why is this ? and can i re-factor my search to make it work?

index=test AND host="test" sourcetype=test
| stats latest(state) latest(status) by host name state status
| stats list(name) as NAME list(state) as STATE list(status) as STATUS by hos

Skins · ‎02-14-2023

Thanks!, but the last stats command presents the data in list format as i want.
if i remove that it doesnt give the desired output?

ITWhisperer · ‎02-14-2023

You could use mvjoin to convert the multivalue fields into single fields - does that help?

Skins · ‎02-14-2023

nope that removes the list formatting - desired output looks like this:

host NAME STATE STATUS

host

Disk 0

Disk 1

Disk 2

Disk 3

Disk 4

Online

Up

ITWhisperer · ‎02-13-2023

The stats command is creating three multivalue fileds (arrays) - these appear to be superfluous as the previous stats command has already created a set of events with exactly the same information in. Try removing the last stats command.

Why is dashboard studio column formatting array?

Dashboard Studio

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation