I might take creative (or totally bland) field naming, but you could try using macros to do the table formatting then pass it the fields you want. For instance, I did this with some logs of my own:
... | eval a1=eventtype | eval a2=bytes_in | eval a3=bytes_out | eval a4=ack_packets_in | eval a5=ack_packets_out | `my-table(a1 a2 a3 a4 a5)`
That results in a table with fields labeled a1 through a5. Obviously change those to whatever names you want. This depends on a macro I created that consists of
definition: table $arg1$ $arg2$ $arg3$ $arg4$ $arg5$
You can create several of these only differing by the number of arguments, then you can call them all the same. So if you have a my-table(4) and my-table(5), and you called
... | `my-table(myfield1 myfield2 myfield3 myfield4)`
It would use the 4 argument version.
To vary things, you could use some generic other field category, and maybe call it like this example below using a "built in" field EventCode and a "generated" fields OtherInfo1.
... | eval OtherInfo1=if(isnotnull(somefield),somefield, someotherfield) | `my-table(EventCode, OtherInfo1)`
Similarly, other types of those calculations may work, like
... | eval a2=if(bytes_in>0,bytes_in,EventCode)
Which I totally made up and is nonsense, but does work.
BTW, be sure to set permissions appropriately on the macro! You can browse the docs on macros for more.
Not really sure how this helps. I don't want to show statistic for each field. The table should just show the value of the fields for each event. That is my search:
index=* sourcetype!="XXX-CEF" vendor!="XXX" $ip$ OR $URL$ AND (tag=ids OR tag=attack OR tag=report OR tag=vulnerability OR tag=malware OR tag=operations) | table vendor* ,dvc*,ids_type,tag,action*,category,signature,src*,dest*,user,severity*,_raw
I want to be able to adjust the table fields depending on what tags are included.