Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to hide a field of a table but keep it for sep...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to hide a field of a table but keep it for separate search? Thank you for your help
For example: field "id" exists on the index. I don't want to display field "id" on the first table (Base search), but display it on the second table (uses the first search as Base search)
<search id="base">
<query> index=testindex
| table company, ip, AvgScore
</query>
</search>
| company | ip | AvgScore |
| CompanyA | ip1 | 1 |
| CompanyA | ip2 | 3 |
| CompanyA | ip3 | 4 |
<search base="base">
<query> | lookup example.csv id as id OUTPUTNEW id, location
| table company, id, ip, AvgScore, location
</query>
</search>
| company | id | ip | AvgScore | location |
| CompanyA | idA | ip1 | 1 | loc1 |
| CompanyA | idA | ip2 | 3 | loc1 |
| CompanyA | idA | ip3 | 4 | loc1 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LearningGuy ,
as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this:
base search
<search id="base">
<query>
index=testindex
| fields company ip id AvgScore
</query>
</search>Panel 1 (without id field):
<search base="base">
<query>
index=testindex
| table company ip AvgScore
</query>
</search>Panel 2 (with id field):
<search base="base">
<query>
| lookup example.csv id OUTPUTNEW id location
| table company id ip AvgScore location
</query>
</search>Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LearningGuy ,
in the base search you must insert all the fields you need in the following panels.
Then in each panel, you display only the fields you want for that panel.
In your use case:
Base Search:
<search id="base">
<query> index=testindex
| fields company ip id AvgScore
</query>
</search>Panel's Search:
<search base="base">
<query>
| lookup example.csv id OUTPUTNEW id location
| table company id ip AvgScore location
</query>
</search>Additional information: if the key field in the lookup command is the same of the main search you don't need to use "id as id".
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gcusello
Thank you for your help.
I have 2 "statistics table" panels:
1) statistic table for the base search (id="base")
I don't want to display "id "field on the table
2) statistic table panel for the second search (derived from the base search base="base")
I want to display "id" field on the table
How do I not display "id" field on the statistic table panel for the base search, but display "id" field on the statistic table panel for the second search?
If I remove "id" from "| table" the base search, it doesn't display on the statistic table for the base search couldn't use it on the second search
1) statistic table for the base search
<search id="base">
<query> index=testindex
| table company, ip, AvgScore
</query>
</search>
| company | ip | AvgScore |
| CompanyA | ip1 | 1 |
| CompanyA | ip2 | 3 |
| CompanyA | ip3 | 4 |
2) statistic table panel for the second search
<search base="base">
<query> | lookup example.csv id as id OUTPUTNEW id, location
| table company, id, ip, AvgScore, location
</query>
</search>
| company | id | ip | AvgScore | location |
| CompanyA | idA | ip1 | 1 | loc1 |
| CompanyA | idA | ip2 | 3 | loc1 |
| CompanyA | idA | ip3 | 4 | loc1 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LearningGuy ,
as I said, in the base search you must put all the fields to use in the dashboard's panels, then in each panel you can put the fields you need in that panel, something like this:
base search
<search id="base">
<query>
index=testindex
| fields company ip id AvgScore
</query>
</search>Panel 1 (without id field):
<search base="base">
<query>
index=testindex
| table company ip AvgScore
</query>
</search>Panel 2 (with id field):
<search base="base">
<query>
| lookup example.csv id OUTPUTNEW id location
| table company id ip AvgScore location
</query>
</search>Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked.. Thank you so much for your help... I accepted your solution
I wish there were other way to hide the field though.. let me know if there is.. thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LearningGuy ,
as I said, you don't hide fields in the base search: in base search you need to put all the fields you need in the dashboard' s panels, then in each panel yu use only the fields you need.
The base search is the starting point of all the panels' searches.
One additional hint: if you don't use a streming commad (as stats or timechart, etc...) the advantage of base search is limited.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just define that base search as now, but don' use it as your query which create table on your dashboard. Just create another post-process search where your query is just "| table company, AvgScore".
r. Ismo
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
