The feature you are looking for is trellis.  But Splunk doesn't currently do trellis for table visualization. (I'm almost sure that Grafana does.)  You can sort of hack something yourself if you are willing to get into the nitty-gritty Simple XML programming. (Or in Dashboard Studio source.)  Oh, you also need to know all possible values of SectionName in advance.  The basic idea is Run a <query /> to populate an aggregate token with values of Attribute in the same search window, e.g.,   index = websphere_cct (Object= "HJn5server1" Env="Prod") OR (Object = "HJn7server3" Env="UAT") SectionName="Process Definition" | spath path=Attributes | eval Attributes = mvappend("SectionName", json_array_to_mv(json_keys(Attributes)))   (Note this only runs in Splunk 8.0 and later.) Use <condition><progress /></condition> to set or unset a dedicated token for every possible SectionName value.  If the value exist in that aggregate token, set the token, otherwise unset it. Use these dedicated tokens to hide or show tables, one for each possible SectionName value. You can read about hide-and-show in Access tokens to show or hide user interface components, about set dynamic tokens in Search tokens for dynamic display example. Here is a mock dashboard you can play with. (I included comments about the actual search that you can substitute.)  Alas! The code is too long.  You can download/copy from here: Mock table trellis in Splunk Simple XML.   Here is a screenshot: As you can see, from your illustrated attribute list of 9, my mock search pretends to have found 4.  So, only those 4 corresponding trellis show on the left-hand side.  If you edit the attribute selection (in source), different tables will show.  In edit mode, all 9 tables are visible, with hidden ones in grey. (Right-hand side is the big table you illustrated, with all 9 attributes.) Several notes: You could have saved volunteers lots of time (and done yourself a favor) by illustrating sample data that matches your desired output.  The JSON in the description has too little in common with the table you show. As your search restricts SectionName to "Process Definition", it doesn't seem to make sense to list SectionName in the table. (SectionName is not an Attribute, any way.)  But I still included it in my emulation. Maintenance is painful and not very scalable like a true trellis feature. Hope this helps.

Hi!  Some good news We've found a better way to handle this. You can use globally defined function to translate your strings: i18n._("string_to_translate") can be converted to _("string_to_translate"). What's even better is that this works in both 8.x and 9.x. Just be careful if you (like us) import underscore as _ in your scripts as well as this can cause name clash. In that case simple renaming of imported library will suffice.  

Hi Ryan, Thanks for supporting. Yes I checked with the team and they told it is not possible to hide the other Agents. But I assume there should be some option or at least user/role level configuration to show only the Agents we are required. So we will see Metrics, Policies only relevant for our Agents.   Thanks. 

Hi @joxers25, for my knowledge the migration path is for Splunk Enterprise and not for Universal Forwarder so it shouldn't be required an intermediate step. But anyway Anyway, both versions 8.2.x and 9.1.1 are certified for Windows 2012/R2, as you can read at https://www.splunk.com/en_us/download/previous-releases-universal-forwarder.html Ciao. Giuseppe