Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Arranging the tabular columns and removing the empty fields in the table

KR1
Loves-to-Learn Lots
‎10-06-2023 12:13 PM

Hi,

I am working on a query where i need to display the table based on the multiselect input.
multi-select input options are : (nf, sf, etc)

When i select "nf " then only columns starts with "nf" should display along with "user" and "role" and also display the columns in same order as it is mentioned,

similarly to be applied  if i am selecting multiple options from the multi-select input as well

but,
 iam facing a issue while fetching the table in same order.

i have tried using 
|<search query>
| stats list(*) as * by user, role
but this one jumbles the column placement in alphabetical order, which i don't want to.

also,
tried using set tokens by giving the field_name starts with "nf" in one token and sf in another token.

|< search query>
| table user, role, $nf_fields$ $,sf_fields$

by trying this method also faced an issue
example: if i am selecting only sf from the multi select input
then the fields starts with nf also displayed with empty values

KR1_1-1696619012063.png

 


--> Is it possible to fix the placement of the columns.
or,
--> removing the empty columns based on the multi-select input

both approaches works for me.

Expected Output:

KR1_0-1696618145207.png

please help me to solve this.

Thanks in advance.

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-08-2023 03:27 PM

@KR1 

Please can you show the <input> block for your multiselect. You need to have a suitable <change> block to be able to set/unset the nf/sf tokens correctly.

 

Tags (1)
0 Karma
Reply

Thulasinathan_M
Contributor
‎10-07-2023 08:58 PM

Hi,
If un-necessary fields displaying from token, then please check whether you've unset token 'nf' when 'sf' is present and vice versa if 'nf' present then unset 'sf' fields.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-06-2023 11:00 PM

Hi @KR1,

sorry but I don't understand your issue:

is your issue on the columns or on the displayed values (as I can understand from your screenshots)?

if on the columns, is your issue that you want the columns in a specified order (which order?), or you don't want to display empty columns?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...