topic Re: How to add a column to the results table based on an existing field? in Splunk Search

How to add a column to the results table based on an existing field?

ivtashev — Wed, 25 Apr 2018 20:36:46 GMT

Hello:

I am trying to add a column to the results table, the reason for this is so that I can then use that value for populating a token. Here is the search:

1.  <search here> 
2.  | chart latest(Data) AS "Data" over Time by Thread
3.  | sort + Time 
4.  | eval Goal=25 
5.  | eval Min=18 
6.  | eval LastPrimer=Primer

The results table of this looks like:

  Time   Goal    Min             data1    data2    data3
    0    25          18                   29.2728     26.2105   14.8187
    1    25          18                 29.6007   28.9153   14.9330

I want to also see LastPrimer in the results table. Primer is an indexed field.

Re: How to add a column to the results table based on an existing field?

TISKAR — Wed, 25 Apr 2018 22:19:13 GMT

Hello,

You can use appendcols command:

<search here> 
  | chart latest(Data) AS "Data" over Time by Thread
  | sort + Time 
  | eval Goal=25 
  | eval Min=18 
  | appendcols [search <search here> | eval LastPrimer=Primer | table LastPrimer`]

Simple Example (You can past this request in your bare search):

  index="_internal" 
    | bin _time span=1d
    | stats count by _time
    | appendcols 
        [search index="_internal" 
        | table log_level 
        | dedup log_level]