Solved: How to format a table

ShagVT · ‎08-13-2019

I have a search that will produce a pretty basic table like this: index=myindex | chart count by host, partition

host        partition1   partition2
serverA       453                0
serverB        23               23
serverC         0              231

I'm trying to make a dashboard, and for my dashboard, the specific values are not really important.

host        partition1   partition2
serverA         X                
serverB         X               X
serverC                         X

I would be fine with something like this, or a graphical checkmark or something? I'm just looking to show where the non-zero values are. Anything additional I can do to bring attention to those through color-coding etc would be gravy.

Any suggestions?

somesoni2 · ‎08-13-2019

Give this a try (will show 1 and blank based on count)

index=myindex | chart dc(host) by host, partition
| foreach * [| eval "<<FIELD>>"=if("<<FIELD>>"!="host" AND '<<FIELD>>'=0,"",'<<FIELD>>')]

View solution in original post

somesoni2 · ‎08-13-2019

Give this a try (will show 1 and blank based on count)

index=myindex | chart dc(host) by host, partition
| foreach * [| eval "<<FIELD>>"=if("<<FIELD>>"!="host" AND '<<FIELD>>'=0,"",'<<FIELD>>')]

ShagVT · ‎08-13-2019

Thanks - I never think of the foreach function.

I modified slightly to end up with X since that's a little easier to spot when the chart has more values:

| foreach * [|eval "<<FIELD>>"=if("<<FIELD>>" != "host" AND '<<FIELD>>'=0, "", '<<FIELD>>')]
| foreach * [|eval "<<FIELD>>"=if('<<FIELD>>' = 1, "X", '<<FIELD>>')]

niketn · ‎08-13-2019

@ShagVT if your issue is resolved please accept the answer to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to format a table

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor