Dashboards & Visualizations

How to hard code a column to dashboard

ramyaashok
New Member

Hi,
I have created a dashboard based on various search criteria. I would like to add a column (Say A) to it,
based on one of the output column(Say B) which I got after the search.
Here Column B value must be matched against the information that I have and need to hard code it.
Can anyone suggest how can I achieve this?

existing output:

ABC    ONE
DEF    TWO

Hardcode information:

ONE    RED
TWO   Black

Needed output:

ABC    ONE   RED
DEF    TWO   Black
0 Karma

evania
Splunk Employee
Splunk Employee

Hi @ramyaashok ,

Did you have a chance to check out some answers? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@ramyaashok

You can use lookup like: <query to get existing output> | lookup color.csv NUM OUTPUT COLOR

color.csv

NUM,COLOR
ONE,RED
TWO,Black

existing output
SOME_FIELD,NUM
ABC,ONE
DEF,TWO

Notice that your existing result has column name NUM that need to be match with NUM column in lookup.

Hope this helps!!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ramyaashok,
if you have few values, at the end of your search you can add an eval command

your_search
| table field1 field2
| eval field3=case(field2="ONE","RED",field2="TWO","Black")

if instead you have many values, you have to create a lookup with all your values (e.g. "my_lookup.csv"

field2,field2
ONE,RED
TWO,Black
...,...

and then use the lookup command

your_search
| lookup my_lookup.csv field2 OUTPUT field3
| table field1 field2 field3

Bye.
Giuseppe

0 Karma

ramyaashok
New Member

Thanks Giuseppe, it worked for me. but there is one other thing here, I need to populate the values as "NA" if the value is not present in my output column.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ramyaashok,
see the fillnull command:

...
| fillnull value="NA" field3

otherwise, if you use the eval command, you can insert a condition for empty values.
...
| eval field3=if(isnull(field3),"NA","field3)
Bye.
Giuseppe

P.S.:
if you're satisfied of this answer, please accept and/or upvote it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ramyaashok,
if you're satisfied of this answer, please accept and/or upvote it.
Bye, see next time.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...