Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show only related fields when condition matches

vikashperiwal89
Engager
‎01-16-2021 07:12 AM

Hi Team,

 

I am trying to create a search which says 

If myField= xyz, then i need to show id , salary ,department fields in table

If myField = abc then need to show location, address, phone fields in tabke

Similarly if myField = ddd then need to show age, ht, gender.. fields in table

i was trying to use case , if statement but not sure how to get multiple fields in table based on condition....by using drop it would be easy as i can set condition and get the output , but want to do this in search..

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

vikashperiwal
Path Finder
‎01-17-2021 08:15 PM

@gcusello , 

 

The solution works , but i am getting all the fields values concatenated under one field.

Is it possible we have have each field as separate for example, extending the below use case

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

I want in below format

_timemyFieldIdsalarydepartment
time vauexyz11000000cse
time valuexyz22000000IT
     
Tags (1)
0 Karma
Reply
Solved! Jump to solution

DaveB
New Member
‎07-11-2024 07:50 AM

I had a similar desire to change the number of fields displayed dependant on a condition. mine was triggered by a dropdown selection, so I set a token when the drop down was  changed   ,that token held a list  of the fields i wanted to display.

at the end of my search i used 

| fields=$myfields$



and it works perfectly. dont think it is possible within the search it self, but if the fields could be set based on the results of another search or an input box it should be possible

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2021 11:17 PM

Hi @vikashperiwal,

yes, as I said, if you want divided fields, you have to divide them after display using e.g. a regex:

| rex field=display_fields "^(?<field1>[^-]+)-(?<field2>[^-]+)-(?<field3>.+)"

The problem is to give the correct name field to the column because SPL isn't a procedural language so you cannot rename a field based on an if  condition.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...