topic Re: How to add a row into table? in Splunk Search

How to add a row into table?

jyamie — Mon, 10 Aug 2015 21:35:04 GMT

How can I add a row into a table either manually or through a look-up table? I would like to insert the row right below the column headers, and will use them to include descriptions of each column.

Re: How to add a row into table?

woodcock — Mon, 10 Aug 2015 21:41:36 GMT

Like this:

... | append [ | noop | stats count AS desc1 | eval _time=now() + 1 |  eval desc1="This describes field 1" | eval desc2="This describes field2" ] | sort 0 - _time

Or you can swap all the _time stuff with a bookend of leading and trailing | reverse commands to put your appended row on top.

Re: How to add a row into table?

somesoni2 — Mon, 10 Aug 2015 22:41:32 GMT

There are two ways you can achieve this

1) Manually providing the description of columns in the search
Assuming, your output columns names are col1, col2 and col3 and appear in the output in same order. So try something like this

| gentimes start=-1 | eval col1="Description of col1" | eval col2="Description of col2" | eval col3="Description of col3" | table col1 col2 col3| append [ Your current search providing results with columns col1 col2 col3]

2) Using a lookup to add description
Assuming you've a lookup table file named FieldDescription.csv with two fields as 'field' and 'desc' try this.

Your current search providing results with columns col1 col2 col3 | eval sortcolumn=1| appendpipe [| stats first(*) as * | transpose | lookup FieldDescription.csv field as column OUTPUT desc | xyseries "row 1" column desc | fields - "row 1" | eval sortcolumn=0 ] | sort sortcolumn | fields - sortcolumn

Re: How to add a row into table?

jyamie — Tue, 11 Aug 2015 14:08:59 GMT

thanks, i haven't tried the lookup yet, but manually providing the descriptions worked great!

Re: How to add a row into table?

jyamie — Tue, 11 Aug 2015 14:32:15 GMT

when i do the lookup method, i get each description taking up its own row, so i end up with a layer of many rows. how can i merge them together? i followed your lookup query exactly

Re: How to add a row into table?

jyamie — Tue, 11 Aug 2015 14:33:05 GMT

i do have some empty cells, which may be why, in my lookup table

Re: How to add a row into table?

woodcock — Tue, 11 Aug 2015 14:37:01 GMT

BTW, this solution deliberately does NOT put your main search as the subsearch in the append command because this imposes subsearch limits on your search. Beware of any answers that subsearches your main search.