Splunk Search

How to access data from table that is not displayed



I have a table with three columns, but I only want to display two columns, so I use the field command. When I click either column 1 or 2 from my dashboard, I want to access the column_3 data if I do this token:


However, I am no longer able to access the column_3.

 index=*  | table column_1, column_2, column_3
| fields column_1, column_2     


I tried debugging my codes. Anywhere I click, I always go to "myapplication/$row.column_3|n$"

But when I change to either:


I am getting the values accordingly. So it seems that $row.fieldname$ is working fine. Does anyone know what's going on? I thought fields allow me to display what I want, but keeps all the value from my table?

PS: I know that this workaround exists, but this line of code is not accepted if I have a column chart.

<field> ["column_1", "column_2"] </field>

Thank you in advance!!


This worked for me:

          index=* | table column_1, column_2, column_3
    <fields>column_1, column_2</fields>

The fields-tag decide which columns are shown and the link has still connection to the column_3 you set with the table-tag

0 Karma


The fields command doesn't control what is displayed, it controls what fields are available to subsequent commands. By saying fields column_1, column_2 you've discarded all other fields and no command can bring them back.

BTW, using table followed by fields is somewhat redundant. The table command controls the order in which fields are displayed and also specifies which fields are available downstream. fields also says which fields are available downstream. When both are needed, fields usually precedes table.

If this reply helps you, Karma would be appreciated.


Thanks for the info! It sounds like I need to display my all three columns into my table in order to use row.? Do you know if there is any way (other than CSS) to hide my table column but access its data?

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...