Splunk Search

Is it possible that add columns dynamically if values are available in same table

john
Communicator

hi,

Is it possible to add columns to the table dynamically (Runtime)if the values are available for that field else it should not show on same table.

eg:1 name value id

a 1 100

2 name value id product
b 2 200 xxxxx

3 name value id

v 3 300

in second case product coulmn there is value available so it is showing it in the same table
in first case for product coulmn no values available so it is not showing that coulmn
in table is this possible.

Tags (1)
0 Karma
1 Solution

Ayn
Legend

You could achieve this by making use of the wildcard matching functionality for fields in table. By specifying you want product* included, Splunk will check what fields are available and include any matching ones as a table column.

... | table name value id product*

The caveat is that you'll also get any other matching fields, so if you have a field called productfoo the table will contain that as well.

View solution in original post

Ayn
Legend

You could achieve this by making use of the wildcard matching functionality for fields in table. By specifying you want product* included, Splunk will check what fields are available and include any matching ones as a table column.

... | table name value id product*

The caveat is that you'll also get any other matching fields, so if you have a field called productfoo the table will contain that as well.

john
Communicator

Thanks Ayn...

0 Karma

Ayn
Legend

In that case the technique I proposed will work. If product is showing up in the table then, it is because at least one of the events in the table have a product field with some value.

0 Karma

john
Communicator

I am not sure,but product filed is not returning any value. But still coming in table. iam using regex to find a particular string that is not present in all events.So what i want is if it is present show it in table.If not present that column should not display in table with all null values.

0 Karma

Ayn
Legend

If the product field doesn't exist at all in your search, the product column will not be present in your table. Do you perhaps have some event with the product field and some others without it? In that case the column will be present.

0 Karma

john
Communicator

hi Ayn my query is i dont want to show the column name also like in first row.That means 1st row product is not available so the header(Column name) also should not show come.

this is the output what iam getting
table name value id product*

name value id product

a 1 100

what iam Excpting is that column(Product) should not come to that table if data not avialable for that.that is the user should know that there is a column named product is excisting until there is value available for that column.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...