Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show a table listing FIELDA values when FIELDB equals 00.000?

rayleadingham
Explorer
‎06-21-2018 03:04 AM

Hi all
I have read the documentation and tested for hours but I am somehow not grasping how searching works.

I have 7000 events with multiple fields. I would like to display a table with one column called FieldA and populate the table with the value of FIELDA for every event where FIELDB = 00.000

Examples of the things I have tried:

index=index FIELDA | table FieldA | FIELDB=00.000
index=index FIELDA where FIELDB=00.000 AS FieldA by index

Any feedback or advice on how to achieve what i am trying to do would be much appreciated. The amount of Splunk documentation is a bit overwhelming.

Thank you!!!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-21-2018 04:42 AM

Your first attempt is close, but once you apply | table FieldA, that is the only field you have, so you can't then filter for FieldB anymore. So you need to first do the filtering and then apply the table command to only show FieldA.

index=index FIELDB="00.000" | table FieldA

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-21-2018 04:42 AM

Your first attempt is close, but once you apply | table FieldA, that is the only field you have, so you can't then filter for FieldB anymore. So you need to first do the filtering and then apply the table command to only show FieldA.

index=index FIELDB="00.000" | table FieldA
Reply
Solved! Jump to solution

rayleadingham
Explorer
‎06-21-2018 04:47 AM

This is excellent, simple and exactly what I was looking for!

Thank you!

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎06-21-2018 04:34 AM

Hey@rayleadingham,

You can try this:
index=index | table FieldA FieldB | where FieldB="00.000"

Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-21-2018 04:40 AM

@deepashri, I think right way would be to get only required events from index

index=index FieldB="00.000" 
| table FieldA FieldB
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

rayleadingham
Explorer
‎06-21-2018 04:49 AM

Thank you for your comments and suggestions, this works exactly like the answer that was written.

Great help and much appreciated!

Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top