Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to access data from table that is not displayed

mabinn
Explorer
‎09-19-2018 05:56 PM

Hello,

I have a table with three columns, but I only want to display two columns, so I use the field command. When I click either column 1 or 2 from my dashboard, I want to access the column_3 data if I do this token:

$row.column_3|n$.

However, I am no longer able to access the column_3.

<query>     
 index=*  | table column_1, column_2, column_3
| fields column_1, column_2     
 </query>


<drilldown>
  <link>
      myapplication/$row.column_3|n$
  </link>
</drilldown>

I tried debugging my codes. Anywhere I click, I always go to "myapplication/$row.column_3|n$"

But when I change to either:

myapplication/$row.column_2|n$
OR
myapplication/$row.column_1|n$

I am getting the values accordingly. So it seems that $row.fieldname$ is working fine. Does anyone know what's going on? I thought fields allow me to display what I want, but keeps all the value from my table?

PS: I know that this workaround exists, but this line of code is not accepted if I have a column chart.

<field> ["column_1", "column_2"] </field>

Thank you in advance!!

Reply

gorba
Engager
‎09-19-2019 02:09 AM

This worked for me:

 <table>
    <search>
      <query>
          index=* | table column_1, column_2, column_3
      </query>
    </search>
    <fields>column_1, column_2</fields>
    <option>
    ...
    </option>
    <drilldown>
      <link>
          myapplication/$row.column_3$
      </link>
    </drilldown>
  </table>

The fields-tag decide which columns are shown and the link has still connection to the column_3 you set with the table-tag

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2018 07:20 AM

The fields command doesn't control what is displayed, it controls what fields are available to subsequent commands. By saying fields column_1, column_2 you've discarded all other fields and no command can bring them back.

BTW, using table followed by fields is somewhat redundant. The table command controls the order in which fields are displayed and also specifies which fields are available downstream. fields also says which fields are available downstream. When both are needed, fields usually precedes table.

---
If this reply helps you, Karma would be appreciated.
Reply

mabinn
Explorer
‎09-20-2018 09:53 AM

Thanks for the info! It sounds like I need to display my all three columns into my table in order to use row.? Do you know if there is any way (other than CSS) to hide my table column but access its data?

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...