Splunk Search

Is it possible to add labels to values in a results table?

DaClyde
Contributor

Is there any way to tack labels, like units of measure, onto values in a table of results, similar to how it can be done in single value panels in a dashboard? I have a table where the column header is the type of data, and the values are how many days it has been since an account has moved that type of data.

Instead of having to add a legend or explanatory blurb about "values listed in Days", I'd just like my values to show up as:

SITE/USER        PUBS     NSE    NAOY
Clarksville        0d      0d      0d
Killeen            1d      2d      2d
Savannah           7d     15d     15d

instead of the default naked values:

SITE/USER        PUBS     NSE    NAOY
Clarksville        0       0       0
Killeen            1       2       2
Savannah           7      15      15

Tags (1)
0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

This is a little hackish, but if you aren't going to do further analysis on the numeric values you can treat them as strings and add a unit that way using eval. It would work something like:

your_search | eval xyz=xyz."unit"

This does a string append of "unit" to the string value of the (possibly numeric) value xyz. Yes, ugly, but works in a dashboard if you need it.

View solution in original post

sideview
SplunkTrust
SplunkTrust

As dwaddle says, the easiest way is to use eval to tack the suffixes/prefixes onto your values as so:

your_search | eval xyz=xyz."unit"

But this will have the side effect of making all the prefixes/suffixes come along with the drilldowns when the user clicks the table.

So another way to do this, and one that avoids that problem, is to use the Table module from Sideview Utils, and use it's "custom embedding" feature.

<module name="Table">
  <module name="HTML" group="row.fields.PUBS">
    <param name="html">$row.fields.PUBS$d</param>
  </module>
  <module name="HTML" group="row.fields.NSE">
    <param name="html">$row.fields.NSE$d</param>
  </module>
  <module name="HTML" group="row.fields.NAOY">
    <param name="html">$row.fields.NAOY$d</param>
  </module>
0 Karma

dwaddle
SplunkTrust
SplunkTrust

This is a little hackish, but if you aren't going to do further analysis on the numeric values you can treat them as strings and add a unit that way using eval. It would work something like:

your_search | eval xyz=xyz."unit"

This does a string append of "unit" to the string value of the (possibly numeric) value xyz. Yes, ugly, but works in a dashboard if you need it.

DaClyde
Contributor

For what I'm doing at the moment, that is absolutely perfect, thanks!

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...