Splunk Search

How to restrict search results to columns wanted

jtpryan
New Member

I have a search that returns a large amount of information in each row, resulting in many columns, most of which I don't want in this dashboard.

How do I restrict it to the columns I want?

For example: User, Stack_Name, Functional_Area, Squad.

0 Karma

jtpryan
New Member

Sweet! Thank you. Now I need to figure out how to format my dashboard to just have the title of the column not be "metadata.x"
where x = the metadata subcategory.

0 Karma

dindu
Contributor

Hi jtpryan,
You could use rename command to change display name.

|index="" sourcetype=""
|spath input =_raw
|your_search
|table User, metadata.Stack_Name, metadata.Functional_Area, metadata.Squad
|rename metadata.Stack_Name as Stack_Name,metadata.Functional_Area as Functional_Area, metadata.Squad as Squad.

Please accept and upvote answers if it solved your issue.

Happy Splunking!!

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="{ \"build_number\": 546,
\"build_url\": \"blar\",
\"event_tab\": \"build_report\",
\"job_name\": \"blar\",
\"job_result\": \"SUCCESS\",
\"metadata\": {
\"FUNCTOONAL_AREA\": \"DevOps\",
\"JMX_FILE\": \"Sample-Test-Plan/sendMessageTest\",
\"REQUIRED_LGS\": 1,
\"SQUAD_NAME\": \"SquadNameChong\",
\"STACK_NAME\": \"DevOps-jmeter\",
\"TEST_REPO_BRANCH\": \"feature/EFORTS\",
\"scm\": \"git\" },
\"page_num\": 1,
\"testsuite\": { },
\"user\": \"blar\" }"
| spath
| table metadata* user

Hi, The field name under metadata is
metadata. fieldname

0 Karma

jtpryan
New Member

Great Info. I tried table and it looks like it is exactly what I want. However, while it returns the columns I need, there is no data in them. The data is in the "events" visualizations, so I know it exists. Is it because those fields are under "metadata"?

alt text

0 Karma

dindu
Contributor

Hi JtPryan,

Great!!
Looks likes your source data is in JSON format.
Could you please try parsing the data.You could use "spath " command as below.

|index="" sourcetype=""
|spath input =_raw
|your_search
|table User, Stack_Name, Functional_Area, Squad

0 Karma

dindu
Contributor

Hi Jtpryan,

You could use either "table" command or "fields" commands to include or exclude fields.

1)Table command
This is a transforming command and will include only the fields which are mentioned in the command.

Only User, Stack_Name, Functional_Area, Squad will get displayed as per below example.

|your_search
|table User, Stack_Name, Functional_Area, Squad

2)Fields command
This is used to either include or exclude any fields.Also displays the internal fields - with underscores like _time,useful to plot
charts in some cases.Uses + and - symbols to specify inclusion or exclusion.

Only User, Stack_Name, Functional_Area, Squad will get displayed and the internals fields are available to use.

|your_search
|fields + User, Stack_Name, Functional_Area, Squad

All fields EXCEPT User, Stack_Name, Functional_Area, Squad will get displayed

|your_search
|fields - User, Stack_Name, Functional_Area, Squad.

Happy Splunking!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jtpryan
did you explored the table command?

So, please, try something like this:

my_search
| table User Stack_Name Functional_Area Squad

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Table

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...