Splunk Search

How to remove a field from a visualization, but not remove it from search results?

ronekarleone
Explorer

I have search results like this:

Host---------------Description------------ EventSize
127.0.0.1----------Prod DB---------------- 90
127.0.0.2----------Trade Service---------- 34

I need remove "Description" field from visualization (for chart like "EventSize by Host"), but don't remove this field from search results. How can i do that?

Thanks.

UPD.
It isn't dashboard, so it haven't SIMPLE XML. I use this search for my report:

|inputlookup Source_description #add CSV lookup with Descriptions
|fields Host Description
|join 
    [search index=_internal source=*license_usage.log type="Usage"
    |stats sum(b) as b by h
    |eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
    |fields h, TotyalSizeMB
    |rename h AS Host ]
|fields Host Description ToyalSizeMB
|sort 5 - TotalSizeMB

And i have this statistics and visualization tabs like this:
alt text

You can see that description field useless in chart, but usefull in statistics table.
I can use comand like this: " |eval Host=Host." - ".Description |fields - Description " to merge 2 fields, but it isn't the best solution, because it becomes difficult to read Host field.

So, how can i remove this field from chart, but save it in statistics search?

0 Karma
1 Solution

rjthibod
Champion

You can use a post-processing search to generate the chart without the Description.

Assume this is the definition of your table. Note the <search id="base_search>

<table>
  <title>...</title
  <search id="base_search>
    <query>
 |inputlookup Source_description #add CSV lookup with Descriptions
 |fields Host Description
 |join 
     [search index=_internal source=*license_usage.log type="Usage"
     |stats sum(b) as b by h
     |eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
     |fields h, TotyalSizeMB
     |rename h AS Host ]
 |fields Host Description ToyalSizeMB
 |sort 5 - TotalSizeMB
    </query>
  </search>
</table>

Then you can use <search base="base_search"> as a post-processing search to remove that one field.

<chart>
  <title>...</title
  <search base="base_search">
    <query>
      fields Host ToyalSizeMB
    </query>
  </search>
  <option name="charting.chart">column</option>
</chart>

View solution in original post

rjthibod
Champion

You can use a post-processing search to generate the chart without the Description.

Assume this is the definition of your table. Note the <search id="base_search>

<table>
  <title>...</title
  <search id="base_search>
    <query>
 |inputlookup Source_description #add CSV lookup with Descriptions
 |fields Host Description
 |join 
     [search index=_internal source=*license_usage.log type="Usage"
     |stats sum(b) as b by h
     |eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
     |fields h, TotyalSizeMB
     |rename h AS Host ]
 |fields Host Description ToyalSizeMB
 |sort 5 - TotalSizeMB
    </query>
  </search>
</table>

Then you can use <search base="base_search"> as a post-processing search to remove that one field.

<chart>
  <title>...</title
  <search base="base_search">
    <query>
      fields Host ToyalSizeMB
    </query>
  </search>
  <option name="charting.chart">column</option>
</chart>

ronekarleone
Explorer

It's nice solution for dashboards, but not for reports (saved searchs). But in any case, thank you! This is the best answer for this moment.

0 Karma

rjthibod
Champion

I did not know you needed it for a saved search/report. If that is the case, it would be helpful for you to restate the desired configuration, for example, what fields need to be available where.

0 Karma

f5x6kb8
Explorer

I am in a similar situation as was presented in this instance. Suppose we use it and continue on? Is there a way...in saved reports...to 'hide' the field DESCRIPTION in the chart, but still have it present in the table/results?

0 Karma

ronekarleone
Explorer

Hi! I didn't find solution for saved reports. So i have changed this project and now use dasboards instead saved reports.
First panel is "EventSize by Host" chart and second panel is "host, description, EventSize" table.
It's only solution that i found.

0 Karma

rjthibod
Champion

Please accept my answer if the gist of it demonstrated how to fix the issue in the case of dashboards

0 Karma

rjthibod
Champion

The answer depends on the type of visualization you are using, and why you need the Description field to stay in the results.

Can you share some of you SimpleXML that would clarify those two things?

0 Karma

ronekarleone
Explorer

Thanks for reply. I added to post all information.

0 Karma

skalliger
Motivator

Like this?

index=whatever
| fields Host, Description, EventSize
| table Host, EventSize

Skalli

Edit: With your search of course.

0 Karma

ronekarleone
Explorer

Thanks for reply, but it doesn't work. Table command remove "description" field from statistics tab in search result. Any ideas?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...