Splunk Search

Is it possible to add labels to values in a results table?

DaClyde
Contributor

Is there any way to tack labels, like units of measure, onto values in a table of results, similar to how it can be done in single value panels in a dashboard? I have a table where the column header is the type of data, and the values are how many days it has been since an account has moved that type of data.

Instead of having to add a legend or explanatory blurb about "values listed in Days", I'd just like my values to show up as:

SITE/USER        PUBS     NSE    NAOY
Clarksville        0d      0d      0d
Killeen            1d      2d      2d
Savannah           7d     15d     15d

instead of the default naked values:

SITE/USER        PUBS     NSE    NAOY
Clarksville        0       0       0
Killeen            1       2       2
Savannah           7      15      15

Tags (1)
0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

This is a little hackish, but if you aren't going to do further analysis on the numeric values you can treat them as strings and add a unit that way using eval. It would work something like:

your_search | eval xyz=xyz."unit"

This does a string append of "unit" to the string value of the (possibly numeric) value xyz. Yes, ugly, but works in a dashboard if you need it.

View solution in original post

sideview
SplunkTrust
SplunkTrust

As dwaddle says, the easiest way is to use eval to tack the suffixes/prefixes onto your values as so:

your_search | eval xyz=xyz."unit"

But this will have the side effect of making all the prefixes/suffixes come along with the drilldowns when the user clicks the table.

So another way to do this, and one that avoids that problem, is to use the Table module from Sideview Utils, and use it's "custom embedding" feature.

<module name="Table">
  <module name="HTML" group="row.fields.PUBS">
    <param name="html">$row.fields.PUBS$d</param>
  </module>
  <module name="HTML" group="row.fields.NSE">
    <param name="html">$row.fields.NSE$d</param>
  </module>
  <module name="HTML" group="row.fields.NAOY">
    <param name="html">$row.fields.NAOY$d</param>
  </module>
0 Karma

dwaddle
SplunkTrust
SplunkTrust

This is a little hackish, but if you aren't going to do further analysis on the numeric values you can treat them as strings and add a unit that way using eval. It would work something like:

your_search | eval xyz=xyz."unit"

This does a string append of "unit" to the string value of the (possibly numeric) value xyz. Yes, ugly, but works in a dashboard if you need it.

DaClyde
Contributor

For what I'm doing at the moment, that is absolutely perfect, thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...