Splunk Search

How to access data from table that is not displayed

mabinn
Explorer

Hello,

I have a table with three columns, but I only want to display two columns, so I use the field command. When I click either column 1 or 2 from my dashboard, I want to access the column_3 data if I do this token:

$row.column_3|n$.

However, I am no longer able to access the column_3.

<query>     
 index=*  | table column_1, column_2, column_3
| fields column_1, column_2     
 </query>


<drilldown>
  <link>
      myapplication/$row.column_3|n$
  </link>
</drilldown>

I tried debugging my codes. Anywhere I click, I always go to "myapplication/$row.column_3|n$"

But when I change to either:

myapplication/$row.column_2|n$
OR
myapplication/$row.column_1|n$

I am getting the values accordingly. So it seems that $row.fieldname$ is working fine. Does anyone know what's going on? I thought fields allow me to display what I want, but keeps all the value from my table?

PS: I know that this workaround exists, but this line of code is not accepted if I have a column chart.

<field> ["column_1", "column_2"] </field>

Thank you in advance!!

gorba
Engager

This worked for me:

 <table>
    <search>
      <query>
          index=* | table column_1, column_2, column_3
      </query>
    </search>
    <fields>column_1, column_2</fields>
    <option>
    ...
    </option>
    <drilldown>
      <link>
          myapplication/$row.column_3$
      </link>
    </drilldown>
  </table>

The fields-tag decide which columns are shown and the link has still connection to the column_3 you set with the table-tag

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The fields command doesn't control what is displayed, it controls what fields are available to subsequent commands. By saying fields column_1, column_2 you've discarded all other fields and no command can bring them back.

BTW, using table followed by fields is somewhat redundant. The table command controls the order in which fields are displayed and also specifies which fields are available downstream. fields also says which fields are available downstream. When both are needed, fields usually precedes table.

---
If this reply helps you, Karma would be appreciated.

mabinn
Explorer

Thanks for the info! It sounds like I need to display my all three columns into my table in order to use row.? Do you know if there is any way (other than CSS) to hide my table column but access its data?

Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...