Splunk Search

How to access data from table that is not displayed

mabinn
Explorer

Hello,

I have a table with three columns, but I only want to display two columns, so I use the field command. When I click either column 1 or 2 from my dashboard, I want to access the column_3 data if I do this token:

$row.column_3|n$.

However, I am no longer able to access the column_3.

<query>     
 index=*  | table column_1, column_2, column_3
| fields column_1, column_2     
 </query>


<drilldown>
  <link>
      myapplication/$row.column_3|n$
  </link>
</drilldown>

I tried debugging my codes. Anywhere I click, I always go to "myapplication/$row.column_3|n$"

But when I change to either:

myapplication/$row.column_2|n$
OR
myapplication/$row.column_1|n$

I am getting the values accordingly. So it seems that $row.fieldname$ is working fine. Does anyone know what's going on? I thought fields allow me to display what I want, but keeps all the value from my table?

PS: I know that this workaround exists, but this line of code is not accepted if I have a column chart.

<field> ["column_1", "column_2"] </field>

Thank you in advance!!

gorba
Engager

This worked for me:

 <table>
    <search>
      <query>
          index=* | table column_1, column_2, column_3
      </query>
    </search>
    <fields>column_1, column_2</fields>
    <option>
    ...
    </option>
    <drilldown>
      <link>
          myapplication/$row.column_3$
      </link>
    </drilldown>
  </table>

The fields-tag decide which columns are shown and the link has still connection to the column_3 you set with the table-tag

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The fields command doesn't control what is displayed, it controls what fields are available to subsequent commands. By saying fields column_1, column_2 you've discarded all other fields and no command can bring them back.

BTW, using table followed by fields is somewhat redundant. The table command controls the order in which fields are displayed and also specifies which fields are available downstream. fields also says which fields are available downstream. When both are needed, fields usually precedes table.

---
If this reply helps you, Karma would be appreciated.

mabinn
Explorer

Thanks for the info! It sounds like I need to display my all three columns into my table in order to use row.? Do you know if there is any way (other than CSS) to hide my table column but access its data?

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...