Re: Table fields as variable

amiragha · ‎01-14-2019

Is there anyway to pass a variable to the table command? Basically, I have field1, field2 and field3 from my search. I cannot get this to work

eval myfields="field1,field2,field3)
| table myfields

Tried | Table $myfields$ too

Just trying to get | table field1 field2 field3

Thanks for any help

lmlamanna · ‎06-19-2019

I know this is an old post, but I found it today when I was trying to do something similar.

My situation was slightly different. I have a lookup file that lists the report fields and also the order they needed to be.

Here is a run anywhere example illustrating how I solved this problem.

| makeresults 
| eval field1="test1", field2="test2", field3="test3"
| table [| makeresults | eval myfields="field1,field2,field3"| return $myfields]

gcusello · ‎01-14-2019

Hi amiragha,
you can pass field names as a token, e.g.:

<input type="checkbox" token="fieldstodisplay">
      <label>Fields to display</label>
      <choice value="_time">Date and Time</choice>
      <choice value="host">Host</choice>
      <choice value="source">Source</choice>
      <choice value="_raw">Log Event</choice>
      <default>_time,host,source,_raw</default>
      <initialValue>_time,host,source,_raw</initialValue>
      <delimiter> </delimiter>
    </input>

and then put in your table command the token $fieldstodisplay$ .

Bye.
Giuseppe

vnravikumar · ‎01-14-2019

Hi @amiragha

The following code may help you, First build the dynamic column and pass that token dynamic_column to the actual query.

<form>
  <label>testtt</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="dynamic_column" depends="$hidethis$">
      <label>field2</label>
      <fieldForLabel>column</fieldForLabel>
      <fieldForValue>column</fieldForValue>
      <selectFirstChoice>true</selectFirstChoice>
      <search>
        <query>| makeresults 
| eval column="\"sourcetype\",\"index\",\"clientip\""
| fields column |head 1</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index="_internal" | table $dynamic_column$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

vnravikumar · ‎01-18-2019

@amiragha Whether it works?

niketn · ‎01-14-2019

@amiragha please add more details to your question for the community to assist you better. Current description is quite confusing as the search attached is incorrect. Please add context to your question as to what you currently have (data and fields) and what is your expected output from the same.

While posting the details around data/fields, mask/anonymize any sensitive information that you may have!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

martin_mueller · ‎01-14-2019

What is the underlying problem you're trying to solve?

Table fields as variable

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Table fields as variable

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?