https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201917#M58552 <P>Something like:</P> <PRE><CODE>| eval searched_text=if(match(_raw,"Starting"),"Starting",if(match(_raw,"Stopping"),"Stopping","")) </CODE></PRE> <P>assuming you don't have events which match both "Starting..." and "Stopping...".</P> <P>This is good if you have just a few possible search terms, but may get ugly quickly. You can also have series of eval each creating (or not creating) a different field and then coalesce them into one.</P> <P>Hope I gave you enough ideas <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 19 Dec 2016 16:27:56 GMT arkadyz1 2016-12-19T16:27:56Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201916#M58551 <P>Greetings,</P> <P>I'm search my Linux hosts for when the local firewall starts/stops. So I'm using the query:</P> <PRE><CODE>index= host=* source=/var/log/messages "Starting IPv4 firewall with iptables" (or Stopping when Applicable) </CODE></PRE> <P>How can I create a table column that displays the text "Starting IPv4 . . . ". I'd like to add that to the table with the time and host name. The first two are easy. However, since the text isn't a field I can add that. Can anyone provide any suggestions or help? Thanks.</P> Mon, 19 Dec 2016 15:24:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201916#M58551 SplunkLunk 2016-12-19T15:24:29Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201917#M58552 <P>Something like:</P> <PRE><CODE>| eval searched_text=if(match(_raw,"Starting"),"Starting",if(match(_raw,"Stopping"),"Stopping","")) </CODE></PRE> <P>assuming you don't have events which match both "Starting..." and "Stopping...".</P> <P>This is good if you have just a few possible search terms, but may get ugly quickly. You can also have series of eval each creating (or not creating) a different field and then coalesce them into one.</P> <P>Hope I gave you enough ideas <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 19 Dec 2016 16:27:56 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201917#M58552 arkadyz1 2016-12-19T16:27:56Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201918#M58553 <P>You can create your own search time field extraction for Starting IPv4 firewall with iptables and Stopping IPv4 firewall with iptables as Status = Starting or Status=Stopping.</P> <P>You can do the same through rex, erex or interactive field extraction in Splunk during search time through Extract new fields. You can also do the same through props.conf.</P> <P>Would it be possible for your to share couple of example events?</P> Mon, 19 Dec 2016 18:36:15 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201918#M58553 niketn 2016-12-19T18:36:15Z https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201919#M58554 <P>Like this:</P> <PRE><CODE>index= host=* source=/var/log/messages "Starting IPv4 firewall with iptables" OR "Stopping when Applicable" | eval IPv4_Firewall_with_iptables=if(searchmatch("Starting IPv4 firewall with iptables"), "Starting ", "Stopping") | table _time IPv4_Firewall_with_iptables </CODE></PRE> Thu, 06 Apr 2017 14:39:26 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-include-queried-text-string-in-a-table-output/m-p/201919#M58554 woodcock 2017-04-06T14:39:26Z