https://community.splunk.com/t5/Splunk-Enterprise/how-to-add-a-column/m-p/648793#M16702 <P>Hi</P><P>Based on your query, it should be there (just "correctly" formatted, &nbsp;You get this by press Ctrl/Cmd+F)</P><LI-CODE lang="markup">| savedsearch ABC | join type=left BS_ID [| search index="PQR" source=XYZ | rename BS_CODE as BS_ID SERVICE_OWNER as "System Owner" BUSINESS_OWNER as "Business Owner" SERVICE_SUBCATEGORY as Function SDM_FULLNAME as SDM | sort LOGICAL_NAME | eval Application = DESCRIPTION | rex mode=sed field=Application "s/^Managed//g" | rex mode=sed field=Application "s/Application$//g" | rex mode=sed field=Application "s/application$//g" | eval Application = trim(Application) | streamstats count as NO by BS_ID | eventstats max(NO) as MaxTotal by BS_ID | where NO=MaxTotal | eval Function=case(Function="Service Excellence COE" and Application="Medical Insights Reporting","Service Excellence CoE",1=1,Function) | table BS_ID Application Function SDM "System Owner" "Business Owner"] | lookup countries.csv name as COUNTRY outputnew latitude, longitude, name | eval COUNTRY = if(isnull(COUNTRY),"NA",COUNTRY) | eval DEPARTMENT_LONG_NAME = if(isnull(DEPARTMENT_LONG_NAME),"NA",DEPARTMENT_LONG_NAME) | eval DEPARTMENT_SHORT_NAME = if(isnull(DEPARTMENT_SHORT_NAME),"NA",DEPARTMENT_SHORT_NAME)</LI-CODE><P>Are you sure that your</P><LI-CODE lang="markup">| savedsearch ABC </LI-CODE><P>&nbsp;return that field, when you are running it that way?</P><P>r. Ismo</P> Fri, 30 Jun 2023 11:01:15 GMT isoutamo 2023-06-30T11:01:15Z https://community.splunk.com/t5/Splunk-Enterprise/how-to-add-a-column/m-p/648789#M16701 <P>Hi , needed a help. i need to add a column that is added newly to the sql data.below is the query<BR /><FONT size="1 2 3 4 5 6 7">| savedsearch <FONT face="arial black,avant garde">ABC</FONT></FONT><BR /><FONT size="1 2 3 4 5 6 7">| join type=left BS_ID [| search index="PQR" source=XYZ</FONT><BR /><FONT size="1 2 3 4 5 6 7">| rename BS_CODE as BS_ID SERVICE_OWNER as "System Owner" BUSINESS_OWNER as "Business Owner" SERVICE_SUBCATEGORY as Function SDM_FULLNAME as SDM </FONT><BR /><FONT size="1 2 3 4 5 6 7">| sort LOGICAL_NAME | eval Application = DESCRIPTION</FONT><BR /><FONT size="1 2 3 4 5 6 7">| rex mode=sed field=Application "s/^Managed//g" | rex mode=sed field=Application "s/Application$//g" | rex mode=sed field=Application "s/application$//g"</FONT><BR /><FONT size="1 2 3 4 5 6 7">| eval Application = trim(Application) </FONT><BR /><FONT size="1 2 3 4 5 6 7">| streamstats count as NO by BS_ID</FONT><BR /><FONT size="1 2 3 4 5 6 7">| eventstats max(NO) as MaxTotal by BS_ID</FONT><BR /><FONT size="1 2 3 4 5 6 7">| where NO=MaxTotal</FONT><BR /><FONT size="1 2 3 4 5 6 7">|eval Function=case(Function="Service Excellence COE" and Application="Medical Insights Reporting","Service Excellence CoE",1=1,Function)</FONT><BR /><FONT size="1 2 3 4 5 6 7">| table BS_ID Application Function SDM "System Owner" "Business Owner"]</FONT><BR /><FONT size="1 2 3 4 5 6 7">| lookup countries.csv name as COUNTRY outputnew latitude, longitude, name</FONT><BR /><FONT size="1 2 3 4 5 6 7">| eval COUNTRY = if(isnull(COUNTRY),"NA",COUNTRY)</FONT><BR /><FONT size="1 2 3 4 5 6 7">| eval DEPARTMENT_LONG_NAME = if(isnull(DEPARTMENT_LONG_NAME),"NA",DEPARTMENT_LONG_NAME)</FONT><BR /><FONT size="1 2 3 4 5 6 7">| eval DEPARTMENT_SHORT_NAME = if(isnull(DEPARTMENT_SHORT_NAME),"NA",DEPARTMENT_SHORT_NAME)<BR /><BR /><FONT size="3">my ABC savedsearch has a column newly added as Category. i need to get into this saved search<BR /></FONT></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Keerthi_0-1688120984970.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26092i915895E133805EFC/image-size/medium?v=v2&amp;px=400" role="button" title="Keerthi_0-1688120984970.png" alt="Keerthi_0-1688120984970.png" /></span></P><P>&nbsp;</P><P><FONT size="1 2 3 4 5 6 7"><FONT size="3"><BR /></FONT></FONT></P> Fri, 30 Jun 2023 10:29:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/how-to-add-a-column/m-p/648789#M16701 Keerthi 2023-06-30T10:29:54Z https://community.splunk.com/t5/Splunk-Enterprise/how-to-add-a-column/m-p/648793#M16702 <P>Hi</P><P>Based on your query, it should be there (just "correctly" formatted, &nbsp;You get this by press Ctrl/Cmd+F)</P><LI-CODE lang="markup">| savedsearch ABC | join type=left BS_ID [| search index="PQR" source=XYZ | rename BS_CODE as BS_ID SERVICE_OWNER as "System Owner" BUSINESS_OWNER as "Business Owner" SERVICE_SUBCATEGORY as Function SDM_FULLNAME as SDM | sort LOGICAL_NAME | eval Application = DESCRIPTION | rex mode=sed field=Application "s/^Managed//g" | rex mode=sed field=Application "s/Application$//g" | rex mode=sed field=Application "s/application$//g" | eval Application = trim(Application) | streamstats count as NO by BS_ID | eventstats max(NO) as MaxTotal by BS_ID | where NO=MaxTotal | eval Function=case(Function="Service Excellence COE" and Application="Medical Insights Reporting","Service Excellence CoE",1=1,Function) | table BS_ID Application Function SDM "System Owner" "Business Owner"] | lookup countries.csv name as COUNTRY outputnew latitude, longitude, name | eval COUNTRY = if(isnull(COUNTRY),"NA",COUNTRY) | eval DEPARTMENT_LONG_NAME = if(isnull(DEPARTMENT_LONG_NAME),"NA",DEPARTMENT_LONG_NAME) | eval DEPARTMENT_SHORT_NAME = if(isnull(DEPARTMENT_SHORT_NAME),"NA",DEPARTMENT_SHORT_NAME)</LI-CODE><P>Are you sure that your</P><LI-CODE lang="markup">| savedsearch ABC </LI-CODE><P>&nbsp;return that field, when you are running it that way?</P><P>r. Ismo</P> Fri, 30 Jun 2023 11:01:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/how-to-add-a-column/m-p/648793#M16702 isoutamo 2023-06-30T11:01:15Z