Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

emit 3-column table from search (like CHART without aggregation)

Justin_Grant
Contributor
‎03-25-2010 05:36 PM

My search returns 10 fields in each event and I want to create a table with one row per event and columns for 3 of those fields. What's the right search command to use?

Essentially I want a slimmed-down version of the CHART command which doesn't do any aggregation but simply emits the fields I specify into a table.

I know I can manually, via clicking in the UI, elect to include the 3 fields in my results and then click the "events table" button to see a table, but I was looking for a search-language-only way to get this, ideally without having to see "_time" since I don't need it in my table.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎04-09-2010 06:48 PM

In 4.1:

sourcetype="syslog" | fields host, src, dst

Will display the three fields plus _time, so 4 fields total.

sourcetype="syslog" | table host, src, dst

Will display only the three fields specified.

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎04-09-2010 06:48 PM

In 4.1:

sourcetype="syslog" | fields host, src, dst

Will display the three fields plus _time, so 4 fields total.

sourcetype="syslog" | table host, src, dst

Will display only the three fields specified.

Reply
Solved! Jump to solution

Justin_Grant
Contributor
‎04-09-2010 07:08 PM

@Ledion's answer below is accurate and solved my problem, but @ftk I'm accepting your answer because it includes useful details so I could understand why fields wasn't good enough, and that I need to be on 4.1 to use this command.

0 Karma
Reply
Solved! Jump to solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎03-26-2010 11:11 PM 
.... | table column1, column2, column3
Reply
Solved! Jump to solution

Justin_Grant
Contributor
‎04-09-2010 07:06 PM

I only wanted to see those specific fields. Per @ftk's answer above, fields also includes _time in the table. When you're not interested in time (as I wasn't in this case where I cared about the events but not when they showed up), table is better.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-30-2010 05:25 AM

And why does it need to exist? Or rather, what is the reason that both fields and table would both be needed?

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎03-26-2010 11:57 PM

is table a 4.1 command?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...