Splunk Search

How to restrict search results to columns wanted

jtpryan
New Member

I have a search that returns a large amount of information in each row, resulting in many columns, most of which I don't want in this dashboard.

How do I restrict it to the columns I want?

For example: User, Stack_Name, Functional_Area, Squad.

0 Karma

jtpryan
New Member

Sweet! Thank you. Now I need to figure out how to format my dashboard to just have the title of the column not be "metadata.x"
where x = the metadata subcategory.

0 Karma

dindu
Contributor

Hi jtpryan,
You could use rename command to change display name.

|index="" sourcetype=""
|spath input =_raw
|your_search
|table User, metadata.Stack_Name, metadata.Functional_Area, metadata.Squad
|rename metadata.Stack_Name as Stack_Name,metadata.Functional_Area as Functional_Area, metadata.Squad as Squad.

Please accept and upvote answers if it solved your issue.

Happy Splunking!!

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="{ \"build_number\": 546,
\"build_url\": \"blar\",
\"event_tab\": \"build_report\",
\"job_name\": \"blar\",
\"job_result\": \"SUCCESS\",
\"metadata\": {
\"FUNCTOONAL_AREA\": \"DevOps\",
\"JMX_FILE\": \"Sample-Test-Plan/sendMessageTest\",
\"REQUIRED_LGS\": 1,
\"SQUAD_NAME\": \"SquadNameChong\",
\"STACK_NAME\": \"DevOps-jmeter\",
\"TEST_REPO_BRANCH\": \"feature/EFORTS\",
\"scm\": \"git\" },
\"page_num\": 1,
\"testsuite\": { },
\"user\": \"blar\" }"
| spath
| table metadata* user

Hi, The field name under metadata is
metadata. fieldname

0 Karma

jtpryan
New Member

Great Info. I tried table and it looks like it is exactly what I want. However, while it returns the columns I need, there is no data in them. The data is in the "events" visualizations, so I know it exists. Is it because those fields are under "metadata"?

alt text

0 Karma

dindu
Contributor

Hi JtPryan,

Great!!
Looks likes your source data is in JSON format.
Could you please try parsing the data.You could use "spath " command as below.

|index="" sourcetype=""
|spath input =_raw
|your_search
|table User, Stack_Name, Functional_Area, Squad

0 Karma

dindu
Contributor

Hi Jtpryan,

You could use either "table" command or "fields" commands to include or exclude fields.

1)Table command
This is a transforming command and will include only the fields which are mentioned in the command.

Only User, Stack_Name, Functional_Area, Squad will get displayed as per below example.

|your_search
|table User, Stack_Name, Functional_Area, Squad

2)Fields command
This is used to either include or exclude any fields.Also displays the internal fields - with underscores like _time,useful to plot
charts in some cases.Uses + and - symbols to specify inclusion or exclusion.

Only User, Stack_Name, Functional_Area, Squad will get displayed and the internals fields are available to use.

|your_search
|fields + User, Stack_Name, Functional_Area, Squad

All fields EXCEPT User, Stack_Name, Functional_Area, Squad will get displayed

|your_search
|fields - User, Stack_Name, Functional_Area, Squad.

Happy Splunking!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jtpryan
did you explored the table command?

So, please, try something like this:

my_search
| table User Stack_Name Functional_Area Squad

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Table

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...