Solved: Can i show and hide columns on a table based on va...

royimad · ‎04-11-2013

Hello,

I have a table with 4 Header:
A B C D
I need to show A C D column if B is null and B C D column if A is null, how to do that?

Search:
some selection | table A B C D

kristian_kolb · ‎04-11-2013

Not really sure that it fits with your requirements and underlying events, but eval's coalesce function may be the thing you're looking for. It will assign the new field the first non-null value of the fields listed.

Event1: A= B=2 C=3 D=4
Event2: A=1 B= C=3 D=4

search:

... | eval First = coalesce(A,B) | table First C D

result:

First   C   D
    2   3   4
    1   3   4

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-11-2013

Not really sure that it fits with your requirements and underlying events, but eval's coalesce function may be the thing you're looking for. It will assign the new field the first non-null value of the fields listed.

Event1: A= B=2 C=3 D=4
Event2: A=1 B= C=3 D=4

search:

... | eval First = coalesce(A,B) | table First C D

result:

First   C   D
    2   3   4
    1   3   4

Hope this helps,

Kristian

royimad · ‎04-12-2013

Thanks,
Roy

Can i show and hide columns on a table based on values?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

Can i show and hide columns on a table based on values?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside