Solved: Can i show and hide columns on a table based on va...

royimad · ‎04-11-2013

Hello,

I have a table with 4 Header:
A B C D
I need to show A C D column if B is null and B C D column if A is null, how to do that?

Search:
some selection | table A B C D

kristian_kolb · ‎04-11-2013

Not really sure that it fits with your requirements and underlying events, but eval's coalesce function may be the thing you're looking for. It will assign the new field the first non-null value of the fields listed.

Event1: A= B=2 C=3 D=4
Event2: A=1 B= C=3 D=4

search:

... | eval First = coalesce(A,B) | table First C D

result:

First   C   D
    2   3   4
    1   3   4

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-11-2013

Not really sure that it fits with your requirements and underlying events, but eval's coalesce function may be the thing you're looking for. It will assign the new field the first non-null value of the fields listed.

Event1: A= B=2 C=3 D=4
Event2: A=1 B= C=3 D=4

search:

... | eval First = coalesce(A,B) | table First C D

result:

First   C   D
    2   3   4
    1   3   4

Hope this helps,

Kristian

royimad · ‎04-12-2013

Thanks,
Roy

Can i show and hide columns on a table based on values?

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Are you a member of the Splunk Community?

Can i show and hide columns on a table based on values?

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement