Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show a table listing FIELDA values when FIELDB equals 00.000?

rayleadingham
Explorer
‎06-21-2018 03:04 AM

Hi all
I have read the documentation and tested for hours but I am somehow not grasping how searching works.

I have 7000 events with multiple fields. I would like to display a table with one column called FieldA and populate the table with the value of FIELDA for every event where FIELDB = 00.000

Examples of the things I have tried:

index=index FIELDA | table FieldA | FIELDB=00.000
index=index FIELDA where FIELDB=00.000 AS FieldA by index

Any feedback or advice on how to achieve what i am trying to do would be much appreciated. The amount of Splunk documentation is a bit overwhelming.

Thank you!!!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-21-2018 04:42 AM

Your first attempt is close, but once you apply | table FieldA, that is the only field you have, so you can't then filter for FieldB anymore. So you need to first do the filtering and then apply the table command to only show FieldA.

index=index FIELDB="00.000" | table FieldA

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-21-2018 04:42 AM

Your first attempt is close, but once you apply | table FieldA, that is the only field you have, so you can't then filter for FieldB anymore. So you need to first do the filtering and then apply the table command to only show FieldA.

index=index FIELDB="00.000" | table FieldA
Reply
Solved! Jump to solution

rayleadingham
Explorer
‎06-21-2018 04:47 AM

This is excellent, simple and exactly what I was looking for!

Thank you!

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎06-21-2018 04:34 AM

Hey@rayleadingham,

You can try this:
index=index | table FieldA FieldB | where FieldB="00.000"

Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-21-2018 04:40 AM

@deepashri, I think right way would be to get only required events from index

index=index FieldB="00.000" 
| table FieldA FieldB
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

rayleadingham
Explorer
‎06-21-2018 04:49 AM

Thank you for your comments and suggestions, this works exactly like the answer that was written.

Great help and much appreciated!

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...