Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show only related fields when condition matches

vikashperiwal89
Engager
‎01-16-2021 07:12 AM

Hi Team,

 

I am trying to create a search which says 

If myField= xyz, then i need to show id , salary ,department fields in table

If myField = abc then need to show location, address, phone fields in tabke

Similarly if myField = ddd then need to show age, ht, gender.. fields in table

i was trying to use case , if statement but not sure how to get multiple fields in table based on condition....by using drop it would be easy as i can set condition and get the output , but want to do this in search..

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

vikashperiwal
Path Finder
‎01-17-2021 08:15 PM

@gcusello , 

 

The solution works , but i am getting all the fields values concatenated under one field.

Is it possible we have have each field as separate for example, extending the below use case

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

I want in below format

_timemyFieldIdsalarydepartment
time vauexyz11000000cse
time valuexyz22000000IT
     
Tags (1)
0 Karma
Reply
Solved! Jump to solution

DaveB
New Member
‎07-11-2024 07:50 AM

I had a similar desire to change the number of fields displayed dependant on a condition. mine was triggered by a dropdown selection, so I set a token when the drop down was  changed   ,that token held a list  of the fields i wanted to display.

at the end of my search i used 

| fields=$myfields$



and it works perfectly. dont think it is possible within the search it self, but if the fields could be set based on the results of another search or an input box it should be possible

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2021 11:17 PM

Hi @vikashperiwal,

yes, as I said, if you want divided fields, you have to divide them after display using e.g. a regex:

| rex field=display_fields "^(?<field1>[^-]+)-(?<field2>[^-]+)-(?<field3>.+)"

The problem is to give the correct name field to the column because SPL isn't a procedural language so you cannot rename a field based on an if  condition.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...