Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to hard code a column to dashboard

ramyaashok
New Member
‎06-06-2019 06:07 AM

Hi,
I have created a dashboard based on various search criteria. I would like to add a column (Say A) to it,
based on one of the output column(Say B) which I got after the search.
Here Column B value must be matched against the information that I have and need to hard code it.
Can anyone suggest how can I achieve this?

existing output:

ABC    ONE
DEF    TWO

Hardcode information:

ONE    RED
TWO   Black

Needed output:

ABC    ONE   RED
DEF    TWO   Black
0 Karma
Reply

evania
Splunk Employee
Splunk Employee
‎06-17-2019 03:33 PM

Hi @ramyaashok ,

Did you have a chance to check out some answers? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-06-2019 06:46 AM

@ramyaashok

You can use lookup like: <query to get existing output> | lookup color.csv NUM OUTPUT COLOR

color.csv

NUM,COLOR
ONE,RED
TWO,Black

existing output
SOME_FIELD,NUM
ABC,ONE
DEF,TWO

Notice that your existing result has column name NUM that need to be match with NUM column in lookup.

Hope this helps!!!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2019 06:33 AM

Hi ramyaashok,
if you have few values, at the end of your search you can add an eval command

your_search
| table field1 field2
| eval field3=case(field2="ONE","RED",field2="TWO","Black")

if instead you have many values, you have to create a lookup with all your values (e.g. "my_lookup.csv"

field2,field2
ONE,RED
TWO,Black
...,...

and then use the lookup command

your_search
| lookup my_lookup.csv field2 OUTPUT field3
| table field1 field2 field3

Bye.
Giuseppe

0 Karma
Reply

ramyaashok
New Member
‎06-06-2019 10:02 PM

Thanks Giuseppe, it worked for me. but there is one other thing here, I need to populate the values as "NA" if the value is not present in my output column.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2019 01:01 AM

Hi ramyaashok,
see the fillnull command:

...
| fillnull value="NA" field3

otherwise, if you use the eval command, you can insert a condition for empty values.
...
| eval field3=if(isnull(field3),"NA","field3)
Bye.
Giuseppe

P.S.:
if you're satisfied of this answer, please accept and/or upvote it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-31-2019 05:45 AM

Hi ramyaashok,
if you're satisfied of this answer, please accept and/or upvote it.
Bye, see next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...