Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to hide a field of a table but keep it for separate search?

LearningGuy
Builder
‎10-31-2023 06:16 PM


How to hide a field of a table but keep it for separate search?   Thank you for your help
For example:  field "id" exists on the index. I don't want to display field "id" on the first table (Base search),  but display it on the second table (uses  the first search as Base search)


<search id="base">
    <query> index=testindex
          | table company, ip, AvgScore
     </query>
</search>

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34


<search base="base">
      <query> | lookup  example.csv id as id OUTPUTNEW  id, location
                        | table company, id, ip, AvgScore, location
     </query>
</search>

companyidipAvgScorelocation
CompanyAidAip11loc1
CompanyAidAip23loc1
CompanyAidAip34loc1
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-01-2023 06:29 AM

Hi @LearningGuy ,

as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this:

base search

<search id="base">
    <query> 
        index=testindex
        | fields company ip id AvgScore
     </query>
</search>

Panel 1 (without id field):

<search base="base">
    <query> 
        index=testindex
        | table company ip AvgScore
     </query>
</search>

Panel 2 (with id field):

<search base="base">
      <query>
           | lookup  example.csv id OUTPUTNEW  id location
           | table company id ip AvgScore location
     </query>
</search>

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-01-2023 02:46 AM

Hi @LearningGuy ,

in the base search you must insert all the fields you need in the following panels.

Then in each panel, you display only the fields you want for that panel.

In your use case:

Base Search:

<search id="base">
    <query> index=testindex
          | fields company ip id AvgScore
     </query>
</search>

Panel's Search:

<search base="base">
      <query>
           | lookup  example.csv id OUTPUTNEW  id location
           | table company id ip AvgScore location
     </query>
</search>

Additional information: if the key field in the lookup command is the same of the main search you don't need to use "id as id".

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LearningGuy
Builder
‎11-01-2023 05:58 AM

Hello @gcusello 
Thank you for your help.

I have 2 "statistics table" panels:
1) statistic table for the base search  (id="base")
      I don't want to display "id "field  on the table  

2) statistic table panel for the  second search  (derived from the base search  base="base")
    I want to display "id" field on the table

How do I not display "id" field on the statistic table panel for the base search, but display "id" field on the statistic table panel for the second search?
If  I remove "id" from "| table" the base search, it doesn't display on the statistic table for the base search couldn't use it on the second search

1) statistic table for the base search
<search id="base">
    <query> index=testindex
          | table company, ip, AvgScore
     </query>
</search>

companyipAvgScore
CompanyAip11
CompanyAip23
CompanyAip34



2) statistic table panel for the  second search

<search base="base">
      <query> | lookup  example.csv id as id OUTPUTNEW  id, location
                        | table company, id, ip, AvgScore, location
     </query>
</search>

companyidipAvgScorelocation
CompanyAidAip11loc1
CompanyAidAip23loc1
CompanyAidAip34loc1




0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-01-2023 06:29 AM

Hi @LearningGuy ,

as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this:

base search

<search id="base">
    <query> 
        index=testindex
        | fields company ip id AvgScore
     </query>
</search>

Panel 1 (without id field):

<search base="base">
    <query> 
        index=testindex
        | table company ip AvgScore
     </query>
</search>

Panel 2 (with id field):

<search base="base">
      <query>
           | lookup  example.csv id OUTPUTNEW  id location
           | table company id ip AvgScore location
     </query>
</search>

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LearningGuy
Builder
‎11-01-2023 06:52 PM

It worked.. Thank you so much for your help...   I accepted your solution

I wish there were other way to hide the field though..    let me know if there is..  thank you!!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2023 12:03 AM

Hi @LearningGuy ,

as I said, you don't hide fields in the base search: in base search you need to put all the fields you need in the dashboard' s panels, then in each panel yu use only the fields you need.

The base search is the starting point of all the panels' searches.

One additional hint: if you don't use a streming commad (as stats or timechart, etc...) the advantage of base search is limited.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-31-2023 11:57 PM
Hi
just define that base search as now, but don' use it as your query which create table on your dashboard. Just create another post-process search where your query is just "| table company, AvgScore".
r. Ismo
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...