Hi all
I have read the documentation and tested for hours but I am somehow not grasping how searching works.
I have 7000 events with multiple fields. I would like to display a table with one column called FieldA and populate the table with the value of FIELDA for every event where FIELDB = 00.000
Examples of the things I have tried:
index=index FIELDA | table FieldA | FIELDB=00.000
index=index FIELDA where FIELDB=00.000 AS FieldA by index
Any feedback or advice on how to achieve what i am trying to do would be much appreciated. The amount of Splunk documentation is a bit overwhelming.
Thank you!!!
Your first attempt is close, but once you apply | table FieldA
, that is the only field you have, so you can't then filter for FieldB
anymore. So you need to first do the filtering and then apply the table
command to only show FieldA.
index=index FIELDB="00.000" | table FieldA
Your first attempt is close, but once you apply | table FieldA
, that is the only field you have, so you can't then filter for FieldB
anymore. So you need to first do the filtering and then apply the table
command to only show FieldA.
index=index FIELDB="00.000" | table FieldA
This is excellent, simple and exactly what I was looking for!
Thank you!
Hey@rayleadingham,
You can try this:
index=index | table FieldA FieldB | where FieldB="00.000"
Let me know if this helps!!
@deepashri, I think right way would be to get only required events from index
index=index FieldB="00.000"
| table FieldA FieldB
Thank you for your comments and suggestions, this works exactly like the answer that was written.
Great help and much appreciated!