Splunk Search

How to remove a field from a visualization, but not remove it from search results?

Explorer

I have search results like this:

Host---------------Description------------ EventSize
127.0.0.1----------Prod DB---------------- 90
127.0.0.2----------Trade Service---------- 34

I need remove "Description" field from visualization (for chart like "EventSize by Host"), but don't remove this field from search results. How can i do that?

Thanks.

UPD.
It isn't dashboard, so it haven't SIMPLE XML. I use this search for my report:

|inputlookup Source_description #add CSV lookup with Descriptions
|fields Host Description
|join 
    [search index=_internal source=*license_usage.log type="Usage"
    |stats sum(b) as b by h
    |eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
    |fields h, TotyalSizeMB
    |rename h AS Host ]
|fields Host Description ToyalSizeMB
|sort 5 - TotalSizeMB

And i have this statistics and visualization tabs like this:
alt text

You can see that description field useless in chart, but usefull in statistics table.
I can use comand like this: " |eval Host=Host." - ".Description |fields - Description " to merge 2 fields, but it isn't the best solution, because it becomes difficult to read Host field.

So, how can i remove this field from chart, but save it in statistics search?

0 Karma
1 Solution

Champion

You can use a post-processing search to generate the chart without the Description.

Assume this is the definition of your table. Note the <search id="base_search>

<table>
  <title>...</title
  <search id="base_search>
    <query>
 |inputlookup Source_description #add CSV lookup with Descriptions
 |fields Host Description
 |join 
     [search index=_internal source=*license_usage.log type="Usage"
     |stats sum(b) as b by h
     |eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
     |fields h, TotyalSizeMB
     |rename h AS Host ]
 |fields Host Description ToyalSizeMB
 |sort 5 - TotalSizeMB
    </query>
  </search>
</table>

Then you can use <search base="base_search"> as a post-processing search to remove that one field.

<chart>
  <title>...</title
  <search base="base_search">
    <query>
      fields Host ToyalSizeMB
    </query>
  </search>
  <option name="charting.chart">column</option>
</chart>

View solution in original post

Champion

You can use a post-processing search to generate the chart without the Description.

Assume this is the definition of your table. Note the <search id="base_search>

<table>
  <title>...</title
  <search id="base_search>
    <query>
 |inputlookup Source_description #add CSV lookup with Descriptions
 |fields Host Description
 |join 
     [search index=_internal source=*license_usage.log type="Usage"
     |stats sum(b) as b by h
     |eval TotalSizeMB=if(len(b)=0 OR isnull (b), "0.00", round (b/1024/1024,2))
     |fields h, TotyalSizeMB
     |rename h AS Host ]
 |fields Host Description ToyalSizeMB
 |sort 5 - TotalSizeMB
    </query>
  </search>
</table>

Then you can use <search base="base_search"> as a post-processing search to remove that one field.

<chart>
  <title>...</title
  <search base="base_search">
    <query>
      fields Host ToyalSizeMB
    </query>
  </search>
  <option name="charting.chart">column</option>
</chart>

View solution in original post

Explorer

It's nice solution for dashboards, but not for reports (saved searchs). But in any case, thank you! This is the best answer for this moment.

0 Karma

Champion

I did not know you needed it for a saved search/report. If that is the case, it would be helpful for you to restate the desired configuration, for example, what fields need to be available where.

0 Karma

Explorer

I am in a similar situation as was presented in this instance. Suppose we use it and continue on? Is there a way...in saved reports...to 'hide' the field DESCRIPTION in the chart, but still have it present in the table/results?

0 Karma

Explorer

Hi! I didn't find solution for saved reports. So i have changed this project and now use dasboards instead saved reports.
First panel is "EventSize by Host" chart and second panel is "host, description, EventSize" table.
It's only solution that i found.

0 Karma

Champion

Please accept my answer if the gist of it demonstrated how to fix the issue in the case of dashboards

0 Karma

Champion

The answer depends on the type of visualization you are using, and why you need the Description field to stay in the results.

Can you share some of you SimpleXML that would clarify those two things?

0 Karma

Explorer

Thanks for reply. I added to post all information.

0 Karma

SplunkTrust
SplunkTrust

Like this?

index=whatever
| fields Host, Description, EventSize
| table Host, EventSize

Skalli

Edit: With your search of course.

0 Karma

Explorer

Thanks for reply, but it doesn't work. Table command remove "description" field from statistics tab in search result. Any ideas?

0 Karma