Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display columns dynamically in the splunk table output?

sravanb
New Member
‎05-25-2018 08:32 AM

My end goal to achieve is,
I have a drop down input for the query that renders the data in the table where I have mentioned what columns to specify.
Now the scenario is I dont want all the columns to be displayed all the time. I have to display the columns list based on the drop down input or any other conditions.

Please let me know the best way to do it.

My Query:
index="*" LogText.Environment=$env$ source=$logFilePath$ LogText.StatusMessage = $status$ $searchField$$searchString$
| rename
LogText.LogId as LogID
LogText.VehicleId as VEHICLE_ID
LogText.StoreId as STOREID
LogText.StockNumber as STOCK_NUMBER
LogText.EnterpriseCompany as ENTERPRISE_COMPANY
LogText.InventoryOwner as INVENTORY_OWNER
LogText.EnterPriseCompanyNotEnabled as AUTHORIZED
LogText.StatusMessage as STATUS_MESSAGE
LogText.UpdateFailureReason as FAIL_REASON
LogText.CvsReadSuccessful as IS_CVS_READ_SUCCESS
LogText.DataEdgeReadSuccessful as IS_DATAEDGE_READ_SUCCESS
LogText.DataEdgeUpdateSuccessful as IS_DATAEDGE_UPDATE_SUCCESS

LogText.HttpStatusCode as HTTP_CD
LogText.ErrorMessage as ERROR_MESSAGE
LogText.CompareFieldsAuditLog.CompareFields{}.CvsField as CVS_FIELDS
LogText.CompareFieldsAuditLog.CompareFields{}.CvsValue as CVSVALUES
LogText.CompareFieldsAuditLog.CompareFields{}.DmsField as DMS_FIELDS
LogText.CompareFieldsAuditLog.CompareFields{}.DmsValue as DMSVALUES
|table
_time LogID ENTERPRISE_COMPANY INVENTORY_OWNER VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES
| sort _time desc

Added more details:

Code for drop down:

  <label>QueueType</label>
  <choice value="EnterpriseCompanyQueueListener.log">Merch</choice>
  <choice value="InventoryOwnerQueueListener.log">NonMerch</choice>
  <default>EnterpriseCompanyQueueListener.log</default>
  <initialValue>EnterpriseCompanyQueueListener.log</initialValue>
</input>

When we select choice 1, then I need below column list:
_time LogID ENTERPRISE_COMPANY VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES

When we select choice2, then I need to show below list:
_time LogID INVENTORY_OWNER VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES

0 Karma
Reply

niketn
Legend
‎05-28-2018 05:40 AM

@sravanb please try the change event of the dropdown to code as many tokens as you want. Since you have provided partial code, I can help with only as much detail I can add.

Following is the Dropdown code with <change> event handler that sets new token tokSelectedField based on the dropdown value selected:

   ....
   ....
   <label>QueueType</label>
   <choice value="EnterpriseCompanyQueueListener.log">Merch</choice>
   <choice value="InventoryOwnerQueueListener.log">NonMerch</choice>
   <default>EnterpriseCompanyQueueListener.log</default>
   <initialValue>EnterpriseCompanyQueueListener.log</initialValue>
   <change>
       <condition label="Merch">
           <set token="tokSelectedField">ENTERPRISE_COMPANY</set>
       </condition>
       <condition label="NonMerch">
           <set token="tokSelectedField">INVENTORY_OWNER </set>
       </condition>
   </change>
 </input>
   ....
   ....
   ....

Then use the token $tokSelectedField$ in the table command in the query. It will have value either ENTERPRISE_COMPANY or INVENTORY_OWNER based on your dropdown value selected i.e. |table _time LogID $tokSelectedField$ VEHICLE_ID ...

   <search>
       <query>
             ....
             ....
             |table _time LogID $tokSelectedField$ VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES
             | sort _time desc
        </query>
         ....
         ....

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sravanb
New Member
‎05-27-2018 11:50 PM

@niketn Below is the simple XML for the drop down:

  <label>QueueType</label>
  <choice value="LogFIle1.log">Merch</choice>
  <choice value="LogFIle2.log">NonMerch</choice>
  <default>LogFIle1.log</default>
  <initialValue>LogFIle1.log</initialValue>

When user selects First choice (LogFile1.log), then in the output columns should be
_time LogID ENTERPRISE_COMPANY VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE

else
_time LogID INVENTORY_OWNER VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE

0 Karma
Reply

niketn
Legend
‎05-25-2018 09:27 AM

@sravanb what is the Dynamic Condition and what are corresponding Dropdown Input. We would be able to assist you based on that detail. Also what is the current Simple XML code for your Dropdown.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...