| makeresults
| eval _raw="{ \"build_number\": 546,
\"build_url\": \"blar\",
\"event_tab\": \"build_report\",
\"job_name\": \"blar\",
\"job_result\": \"SUCCESS\",
\"metadata\": {
\"FUNCTOONAL_AREA\": \"DevOps\",
\"JMX_FILE\": \"Sample-Test-Plan/sendMessageTest\",
\"REQUIRED_LGS\": 1,
\"SQUAD_NAME\": \"SquadNameChong\",
\"STACK_NAME\": \"DevOps-jmeter\",
\"TEST_REPO_BRANCH\": \"feature/EFORTS\",
\"scm\": \"git\" },
\"page_num\": 1,
\"testsuite\": { },
\"user\": \"blar\" }"
| spath
| table metadata* user

Hi, The field name under metadata is
metadata. fieldname

Great Info. I tried table and it looks like it is exactly what I want. However, while it returns the columns I need, there is no data in them. The data is in the "events" visualizations, so I know it exists. Is it because those fields are under "metadata"?

Hi Jtpryan,

You could use either "table" command or "fields" commands to include or exclude fields.

1)Table command
This is a transforming command and will include only the fields which are mentioned in the command.

Only User, Stack_Name, Functional_Area, Squad will get displayed as per below example.

|your_search
|table User, Stack_Name, Functional_Area, Squad

2)Fields command
This is used to either include or exclude any fields.Also displays the internal fields - with underscores like _time,useful to plot
charts in some cases.Uses + and - symbols to specify inclusion or exclusion.

Only User, Stack_Name, Functional_Area, Squad will get displayed and the internals fields are available to use.

|your_search
|fields + User, Stack_Name, Functional_Area, Squad

All fields EXCEPT User, Stack_Name, Functional_Area, Squad will get displayed

|your_search
|fields - User, Stack_Name, Functional_Area, Squad.

Happy Splunking!!

Hi @jtpryan
did you explored the table command?

So, please, try something like this:

my_search
| table User Stack_Name Functional_Area Squad

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Table

Ciao.
Giuseppe