Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show only related fields when condition matches

vikashperiwal89
Engager
‎01-16-2021 07:12 AM

Hi Team,

 

I am trying to create a search which says 

If myField= xyz, then i need to show id , salary ,department fields in table

If myField = abc then need to show location, address, phone fields in tabke

Similarly if myField = ddd then need to show age, ht, gender.. fields in table

i was trying to use case , if statement but not sure how to get multiple fields in table based on condition....by using drop it would be easy as i can set condition and get the output , but want to do this in search..

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

vikashperiwal
Path Finder
‎01-17-2021 08:15 PM

@gcusello , 

 

The solution works , but i am getting all the fields values concatenated under one field.

Is it possible we have have each field as separate for example, extending the below use case

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

I want in below format

_timemyFieldIdsalarydepartment
time vauexyz11000000cse
time valuexyz22000000IT
     
Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2021 11:17 PM

Hi @vikashperiwal,

yes, as I said, if you want divided fields, you have to divide them after display using e.g. a regex:

| rex field=display_fields "^(?<field1>[^-]+)-(?<field2>[^-]+)-(?<field3>.+)"

The problem is to give the correct name field to the column because SPL isn't a procedural language so you cannot rename a field based on an if  condition.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...