Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show a table listing FIELDA values when FIELDB equals 00.000?

rayleadingham
Explorer
‎06-21-2018 03:04 AM

Hi all
I have read the documentation and tested for hours but I am somehow not grasping how searching works.

I have 7000 events with multiple fields. I would like to display a table with one column called FieldA and populate the table with the value of FIELDA for every event where FIELDB = 00.000

Examples of the things I have tried:

index=index FIELDA | table FieldA | FIELDB=00.000
index=index FIELDA where FIELDB=00.000 AS FieldA by index

Any feedback or advice on how to achieve what i am trying to do would be much appreciated. The amount of Splunk documentation is a bit overwhelming.

Thank you!!!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-21-2018 04:42 AM

Your first attempt is close, but once you apply | table FieldA, that is the only field you have, so you can't then filter for FieldB anymore. So you need to first do the filtering and then apply the table command to only show FieldA.

index=index FIELDB="00.000" | table FieldA

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎06-21-2018 04:42 AM

Your first attempt is close, but once you apply | table FieldA, that is the only field you have, so you can't then filter for FieldB anymore. So you need to first do the filtering and then apply the table command to only show FieldA.

index=index FIELDB="00.000" | table FieldA
Reply
Solved! Jump to solution

rayleadingham
Explorer
‎06-21-2018 04:47 AM

This is excellent, simple and exactly what I was looking for!

Thank you!

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎06-21-2018 04:34 AM

Hey@rayleadingham,

You can try this:
index=index | table FieldA FieldB | where FieldB="00.000"

Let me know if this helps!!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-21-2018 04:40 AM

@deepashri, I think right way would be to get only required events from index

index=index FieldB="00.000" 
| table FieldA FieldB
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

rayleadingham
Explorer
‎06-21-2018 04:49 AM

Thank you for your comments and suggestions, this works exactly like the answer that was written.

Great help and much appreciated!

Reply
Get Updates on the Splunk Community!

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...