Solved: Can i show and hide columns on a table based on va...

royimad · ‎04-11-2013

Hello,

I have a table with 4 Header:
A B C D
I need to show A C D column if B is null and B C D column if A is null, how to do that?

Search:
some selection | table A B C D

kristian_kolb · ‎04-11-2013

Not really sure that it fits with your requirements and underlying events, but eval's coalesce function may be the thing you're looking for. It will assign the new field the first non-null value of the fields listed.

Event1: A= B=2 C=3 D=4
Event2: A=1 B= C=3 D=4

search:

... | eval First = coalesce(A,B) | table First C D

result:

First   C   D
    2   3   4
    1   3   4

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-11-2013

Not really sure that it fits with your requirements and underlying events, but eval's coalesce function may be the thing you're looking for. It will assign the new field the first non-null value of the fields listed.

Event1: A= B=2 C=3 D=4
Event2: A=1 B= C=3 D=4

search:

... | eval First = coalesce(A,B) | table First C D

result:

First   C   D
    2   3   4
    1   3   4

Hope this helps,

Kristian

royimad · ‎04-12-2013

Thanks,
Roy

Can i show and hide columns on a table based on values?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Can i show and hide columns on a table based on values?

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience