Splunk Search

How to display columns dynamically in the splunk table output?

New Member

My end goal to achieve is,
I have a drop down input for the query that renders the data in the table where I have mentioned what columns to specify.
Now the scenario is I dont want all the columns to be displayed all the time. I have to display the columns list based on the drop down input or any other conditions.

Please let me know the best way to do it.

My Query:
index="*" LogText.Environment=$env$ source=$logFilePath$ LogText.StatusMessage = $status$ $searchField$$searchString$
| rename
LogText.LogId as LogID
LogText.VehicleId as VEHICLE_ID
LogText.StoreId as STOREID
LogText.StockNumber as STOCK_NUMBER
LogText.EnterpriseCompany as ENTERPRISE_COMPANY
LogText.InventoryOwner as INVENTORY_OWNER
LogText.EnterPriseCompanyNotEnabled as AUTHORIZED
LogText.StatusMessage as STATUS_MESSAGE
LogText.UpdateFailureReason as FAIL_REASON
LogText.CvsReadSuccessful as IS_CVS_READ_SUCCESS
LogText.DataEdgeReadSuccessful as IS_DATAEDGE_READ_SUCCESS
LogText.DataEdgeUpdateSuccessful as IS_DATAEDGE_UPDATE_SUCCESS

LogText.HttpStatusCode as HTTP_CD
LogText.ErrorMessage as ERROR_MESSAGE
LogText.CompareFieldsAuditLog.CompareFields{}.CvsField as CVS_FIELDS
LogText.CompareFieldsAuditLog.CompareFields{}.CvsValue as CVSVALUES
LogText.CompareFieldsAuditLog.CompareFields{}.DmsField as DMS_FIELDS
LogText.CompareFieldsAuditLog.CompareFields{}.DmsValue as DMSVALUES
|table
_time LogID ENTERPRISE_COMPANY INVENTORY_OWNER VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES
| sort _time desc

Added more details:

Code for drop down:

  <label>QueueType</label>
  <choice value="EnterpriseCompanyQueueListener.log">Merch</choice>
  <choice value="InventoryOwnerQueueListener.log">NonMerch</choice>
  <default>EnterpriseCompanyQueueListener.log</default>
  <initialValue>EnterpriseCompanyQueueListener.log</initialValue>
</input>

When we select choice 1, then I need below column list:
_time LogID ENTERPRISE_COMPANY VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES

When we select choice2, then I need to show below list:
_time LogID INVENTORY_OWNER VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES

0 Karma

Legend

@sravanb please try the change event of the dropdown to code as many tokens as you want. Since you have provided partial code, I can help with only as much detail I can add.

Following is the Dropdown code with <change> event handler that sets new token tokSelectedField based on the dropdown value selected:

   ....
   ....
   <label>QueueType</label>
   <choice value="EnterpriseCompanyQueueListener.log">Merch</choice>
   <choice value="InventoryOwnerQueueListener.log">NonMerch</choice>
   <default>EnterpriseCompanyQueueListener.log</default>
   <initialValue>EnterpriseCompanyQueueListener.log</initialValue>
   <change>
       <condition label="Merch">
           <set token="tokSelectedField">ENTERPRISE_COMPANY</set>
       </condition>
       <condition label="NonMerch">
           <set token="tokSelectedField">INVENTORY_OWNER </set>
       </condition>
   </change>
 </input>
   ....
   ....
   ....

Then use the token $tokSelectedField$ in the table command in the query. It will have value either ENTERPRISE_COMPANY or INVENTORY_OWNER based on your dropdown value selected i.e. |table _time LogID $tokSelectedField$ VEHICLE_ID ...

   <search>
       <query>
             ....
             ....
             |table _time LogID $tokSelectedField$ VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE IS_CVS_READ_SUCCESS IS_DATAEDGE_READ_SUCCESS IS_DATAEDGE_UPDATE_SUCCESS HTTP_CD CVS_FIELDS CVSVALUES DMS_FIELDS DMSVALUES
             | sort _time desc
        </query>
         ....
         ....

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

@niketnilay Below is the simple XML for the drop down:

  <label>QueueType</label>
  <choice value="LogFIle1.log">Merch</choice>
  <choice value="LogFIle2.log">NonMerch</choice>
  <default>LogFIle1.log</default>
  <initialValue>LogFIle1.log</initialValue>

When user selects First choice (LogFile1.log), then in the output columns should be
_time LogID ENTERPRISE_COMPANY VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE

else
_time LogID INVENTORY_OWNER VEHICLE_ID STOREID STOCK_NUMBER STATUS_MESSAGE FAIL_REASON ERROR_MESSAGE

0 Karma

Legend

@sravanb what is the Dynamic Condition and what are corresponding Dropdown Input. We would be able to assist you based on that detail. Also what is the current Simple XML code for your Dropdown.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!