Quick way to add fields to a table?

swayzy_youssef · ‎06-22-2017

If I want to table out a field called "A," I have to manually type "A" in my search. Is there a quicker way to add fields to table out in my search? I know that I can get all fields by doing:

| table *
OR
| table a*

but this way grabs way too many fields.

I can quickly add values to my search from a field by clicking on the field list, but I was wondering if there was a way to do this with the field itself.

Thank you

inventsekar · ‎06-23-2017

looks like there are no short cut paths for this issue.
search macro is one good workaround.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Knowledge/Usesearchmacros

Steps for creating search macros -

1.Navigate to Settings > Advanced Search > Search macros.
2.Click New to create a new search macro.
3.Change the Destination App to the app you want to restrict your search macro to if it has defaulted to the wrong app.
4.Provide a unique Name for the search macro.
5.In Definition, provide the search string that the macro expands to when you reference it in another search.

(for example table action_time_taken_to_complete can be saved as tableAction and then you can use it on your searches. )
(optional steps removed)
10.Click Save to save your search macro.

Design a search macro definition

The fundamental part of a search macro is its definition, which is the SPL chunk that the macro expands to when you reference it in another search. There are a few things that you should know before you design a search macro definition.

If your search macro definition has variables that must be input by the macro user, put them in the definition as tokens that have dollar signs wrapped around them. For example, $arg1$ could be the first argument in a search macro definition.

Pipe characters and generating commands in macro definitions

When you use generating commands such as search, inputlookup, or tstats in searches, you always put them at the start of the search, with a leading pipe character.

However, if you want your search macro to use a generating command, you should remove the leading pipe character from the macro definition, and instead place it at the start of the search string that you are inserting the search macro into, in front of the search macro reference.

For example, say you have a search macro named mygeneratingmacro that has the following definition:

tstats latest(_time) as latest where index!=filemon by index host source sourcetype

The definition of mygeneratingmacro begins with the generating command tstats. Instead of preceding tstats with a pipe character in the macro definition, you put the pipe character in the search string, ahead of the search macro reference, like this:

| mygeneratingmacro

niketn · ‎06-22-2017

@swayzy_youssef, Using wildcard you can remove/retain fields which you need using fields or fields - command and then table whatever remains. (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields)
PS: Field Inclusion upfront will actually lead to performance improvement i.e. using fields or fields +

If you are putting specific fields to table and do not want to type field names every time same table needs to be displayed in various search query you can save the | table <YourFields> as a macro to be reused.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎06-23-2017

@swayzy_youssef, please accept one of the answers provided to mark this question as answered.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Quick way to add fields to a table?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor