Splunk Search
Highlighted

How to restrict search results to columns wanted

New Member

I have a search that returns a large amount of information in each row, resulting in many columns, most of which I don't want in this dashboard.

How do I restrict it to the columns I want?

For example: User, StackName, FunctionalArea, Squad.

0 Karma
Highlighted

Re: How to restrict search results to columns wanted

Legend

Hi @jtpryan
did you explored the table command?

So, please, try something like this:

my_search
| table User Stack_Name Functional_Area Squad

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Table

Ciao.
Giuseppe

0 Karma
Highlighted

Re: How to restrict search results to columns wanted

Contributor

Hi Jtpryan,

You could use either "table" command or "fields" commands to include or exclude fields.

1)Table command
This is a transforming command and will include only the fields which are mentioned in the command.

Only User, StackName, FunctionalArea, Squad will get displayed as per below example.

|your_search
|table User, Stack_Name, Functional_Area, Squad

2)Fields command
This is used to either include or exclude any fields.Also displays the internal fields - with underscores like _time,useful to plot
charts in some cases.Uses + and - symbols to specify inclusion or exclusion.

Only User, StackName, FunctionalArea, Squad will get displayed and the internals fields are available to use.

|your_search
|fields + User, Stack_Name, Functional_Area, Squad

All fields EXCEPT User, StackName, FunctionalArea, Squad will get displayed

|your_search
|fields - User, Stack_Name, Functional_Area, Squad.

Happy Splunking!!

0 Karma
Highlighted

Re: How to restrict search results to columns wanted

New Member

Great Info. I tried table and it looks like it is exactly what I want. However, while it returns the columns I need, there is no data in them. The data is in the "events" visualizations, so I know it exists. Is it because those fields are under "metadata"?

alt text

0 Karma
Highlighted

Re: How to restrict search results to columns wanted

Contributor

Hi JtPryan,

Great!!
Looks likes your source data is in JSON format.
Could you please try parsing the data.You could use "spath " command as below.

|index="" sourcetype=""
|spath input =raw
|your
search
|table User, StackName, FunctionalArea, Squad

0 Karma

Re: How to restrict search results to columns wanted

Ultra Champion
| makeresults
| eval _raw="{ \"build_number\": 546,
\"build_url\": \"blar\",
\"event_tab\": \"build_report\",
\"job_name\": \"blar\",
\"job_result\": \"SUCCESS\",
\"metadata\": {
\"FUNCTOONAL_AREA\": \"DevOps\",
\"JMX_FILE\": \"Sample-Test-Plan/sendMessageTest\",
\"REQUIRED_LGS\": 1,
\"SQUAD_NAME\": \"SquadNameChong\",
\"STACK_NAME\": \"DevOps-jmeter\",
\"TEST_REPO_BRANCH\": \"feature/EFORTS\",
\"scm\": \"git\" },
\"page_num\": 1,
\"testsuite\": { },
\"user\": \"blar\" }"
| spath
| table metadata* user

Hi, The field name under metadata is
metadata. fieldname

0 Karma
Highlighted

Re: How to restrict search results to columns wanted

New Member

Sweet! Thank you. Now I need to figure out how to format my dashboard to just have the title of the column not be "metadata.x"
where x = the metadata subcategory.

0 Karma
Highlighted

Re: How to restrict search results to columns wanted

Contributor

Hi jtpryan,
You could use rename command to change display name.

|index="" sourcetype=""
|spath input =raw
|your
search
|table User, metadata.StackName, metadata.FunctionalArea, metadata.Squad
|rename metadata.StackName as StackName,metadata.FunctionalArea as FunctionalArea, metadata.Squad as Squad.

Please accept and upvote answers if it solved your issue.

Happy Splunking!!

0 Karma