topic Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index) in Splunk Search

How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

ktrumpol — Mon, 28 Sep 2020 14:14:26 GMT

Hey guys, having a little trouble with this one.

How does one include the index in a table. This doesn't work:

(index=cwdswindows OR index=cwds) earliest_time="-7d"| stats max(_time) AS last_seen by host | sort host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(last_seen) | table host, last_seen, index

I know it is pretty obvious by which index I search that is obviously the resulting index, but it would be nice if when I am sent the alert I can visibly see the source of the host and time last seen in my data table. I'm guessing since index is not a field, but rather a source full of fields, that is the issue. What is the way around this?

Thanks for any help at all!

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

asimagu — Wed, 03 Jul 2013 03:19:30 GMT

it should work like that, you can try without the commas

table host last_seen index

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

ktrumpol — Wed, 03 Jul 2013 03:24:31 GMT

Hm I can't imagine without commas would make the difference, but I will try when I get back to my machine tomorrow! I'll let you know. Thanks.

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

asimagu — Wed, 03 Jul 2013 03:32:55 GMT

I tried showing the index field in a table and it worked for me with and without the commas... it's worth trying 😉

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

grijhwani — Wed, 03 Jul 2013 03:49:39 GMT

You need to include index in your "stats" clause, otherwise it will not be present for the table clause.

Initially I thought it was because you had "convert" before rather than after "table", but that works either way.

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

ktrumpol — Wed, 03 Jul 2013 03:57:30 GMT

Awesome! Thank you for trying to replicate my search to accurately diagnose the issue. I'll be sure to try this and vote your answer if it works.

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

ktrumpol — Wed, 03 Jul 2013 03:58:27 GMT

Did you try using convert in your search? The guy below said that when using convert, it has to come after table.

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

asimagu — Wed, 03 Jul 2013 04:01:17 GMT

No, I did not use convert, he may be right then

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

gkanapathy — Wed, 03 Jul 2013 04:49:59 GMT

index is an ordinary field like any other. The reason it does not appear for you is that your stats command removes it. It will remove any field except those specified. If you really only have a single index, you modify your stats command by adding either first(index) as index, adding index to the split-by clause.

Re: How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

ktrumpol — Wed, 03 Jul 2013 14:29:39 GMT

Ahah! Including index in my stats clause definitely fixed the issue. Thank you thank you.