Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show only related fields when condition matches

vikashperiwal89
Engager
‎01-16-2021 07:12 AM

Hi Team,

 

I am trying to create a search which says 

If myField= xyz, then i need to show id , salary ,department fields in table

If myField = abc then need to show location, address, phone fields in tabke

Similarly if myField = ddd then need to show age, ht, gender.. fields in table

i was trying to use case , if statement but not sure how to get multiple fields in table based on condition....by using drop it would be easy as i can set condition and get the output , but want to do this in search..

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2021 07:19 AM

Hi @vikashperiwal89,

if you have few conditions, you could try something like this:

 

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

if you don't like to have all the fields in one field you can divide them after.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

vikashperiwal
Path Finder
‎01-17-2021 08:15 PM

@gcusello , 

 

The solution works , but i am getting all the fields values concatenated under one field.

Is it possible we have have each field as separate for example, extending the below use case

Your_search
| eval display_fields=case(myField="xyz", id." - ".salary." - ".department, myField="abc", location." - ".address." - ".phone, myField="ddd",age." - ".ht." - ".gender)
| table _time myField display_fields

 

I want in below format

_timemyFieldIdsalarydepartment
time vauexyz11000000cse
time valuexyz22000000IT
     
Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2021 11:17 PM

Hi @vikashperiwal,

yes, as I said, if you want divided fields, you have to divide them after display using e.g. a regex:

| rex field=display_fields "^(?<field1>[^-]+)-(?<field2>[^-]+)-(?<field3>.+)"

The problem is to give the correct name field to the column because SPL isn't a procedural language so you cannot rename a field based on an if  condition.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...