Splunk Search

How do I show/hide table columns?

BobKimata
Path Finder

I have several tables that are populated by an SQL query. I would like to have options to show or hide columns depending on what the user wants to see.

Cheers,
Bob

1 Solution

jeffland
SplunkTrust
SplunkTrust

An easy solution would be to place a multiselect input above the table and give it some static options containing the field names. For "Delimiter" of the input, you enter a space, and at the end of the search powering the table, you simply place ... | table $token$ where token is the same name you gave the token in the input.

You should probably set some entries by default in the multiselect.

Update: In the meantime I also added a sorting capability to the multiselect which makes this even more useful. For anyone interested, add this js to your dashboard:

require([
        'jquery',
        'splunkjs/mvc',
        'splunkjs/mvc/simplexml/ready!'
    ], function ($, mvc) {

    var tokens = mvc.Components.getInstance('default');
    var hidden_input = $("#your_input_id_here > div > input");

    hidden_input.select2("container").find("ul.select2-choices").sortable({
        containment: 'parent',
        start: function() {
            hidden_input.select2("onSortStart");
        },
        update: function() {
            hidden_input.select2("onSortEnd");
            tokens.set("form.field_tok", hidden_input.val().split(','));
        }
    });
});

And voila, you can move those entries around with your mouse. You might want to add some css and change the mouse cursor over multiselect entries to an arrow or something.

View solution in original post

jeffland
SplunkTrust
SplunkTrust

An easy solution would be to place a multiselect input above the table and give it some static options containing the field names. For "Delimiter" of the input, you enter a space, and at the end of the search powering the table, you simply place ... | table $token$ where token is the same name you gave the token in the input.

You should probably set some entries by default in the multiselect.

Update: In the meantime I also added a sorting capability to the multiselect which makes this even more useful. For anyone interested, add this js to your dashboard:

require([
        'jquery',
        'splunkjs/mvc',
        'splunkjs/mvc/simplexml/ready!'
    ], function ($, mvc) {

    var tokens = mvc.Components.getInstance('default');
    var hidden_input = $("#your_input_id_here > div > input");

    hidden_input.select2("container").find("ul.select2-choices").sortable({
        containment: 'parent',
        start: function() {
            hidden_input.select2("onSortStart");
        },
        update: function() {
            hidden_input.select2("onSortEnd");
            tokens.set("form.field_tok", hidden_input.val().split(','));
        }
    });
});

And voila, you can move those entries around with your mouse. You might want to add some css and change the mouse cursor over multiselect entries to an arrow or something.

BobKimata
Path Finder

Managed to get it working.

0 Karma

BobKimata
Path Finder

Thanks for the solution. It works, however, it tends to sort my table alphabetically and not the way it appears in my SQL query. This interferes with my drilldowns. I have put * as my default value. I have populated my multiselect with fieldnames using an SQL query as well.

0 Karma

jeffland
SplunkTrust
SplunkTrust

Are you referring to the order of your columns or your rows? Columns are usually always sorted lexicographically, except specified explicitly (the order in which you list them after a table or fields command). You can also consider changing the search to something like this

... | table _time id $token$

so that the table will always have a timestamp and and an id first place (or whatever you have in your data that is always present, such as host or source).
You should also consider having an explicit selection of fields per default in your multiselect instead of an asterisk. This would on the one hand solve your problem of lexicographic order within the columns (which the asterisk does), and it would also allow the user to de-select specific columns from the standard selection.

0 Karma

BobKimata
Path Finder

Thanks a lot. It worked well. The other challenge is that the fields are many so it doesn't look good on the dashboard. I need to increase the width of the multiselect. I have looked on all forums but their solutions aren't working. Am using Splunk 6. Tried overriding the default width using css but it hasn't worked.

0 Karma

jeffland
SplunkTrust
SplunkTrust

Have you tried this method of giving your item an id and changing it via id?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...