Need to add value after extracting field

SS1 · ‎11-30-2020

Hi,

I have the below base search,

index="appv" (sourcetype="AppV-User" *PUT /package*) OR (sourcetype=sql_appv_packageversion) | rex "\/packages\/\w+\/(?<Id>\w+)\s+-\s+\d+\s+(?<User>[^ ]+)" | stats dc(sourcetype) AS dc_sourcetype values(Name) AS Name values(User) AS User BY Id | where dc_sourcetype=2

Statistics of this search is as below,

Id dc_sourcetype Name User
323 2 Putty v0.72 User A

I have extracted a field called 'Enabled' which has values of either Enabled=0 or Enabled=1

How do i update my search query so the table is shown as below

Id dc_sourcetype Name User Enabled
323 2 Putty v0.72 User A 0 or 1

SS1 · ‎11-30-2020

thanks for the response. I tried this query but Enabled is not giving any value

Id dc_sourcetype Name User Enabled
323 2 Putty v0.72 User A

493669 · ‎11-30-2020

@SS1 Does `Enabled` field is getting extracted already? if not then add `Enabled` field extraction logic before stats command.

493669 · ‎11-30-2020

@SS1 you may want to use values(<fieldname>) as <newfieldname> like below-

index="appv" (sourcetype="AppV-User" *PUT /package*) OR (sourcetype=sql_appv_packageversion) | rex "\/packages\/\w+\/(?<Id>\w+)\s+-\s+\d+\s+(?<User>[^ ]+)" | stats dc(sourcetype) AS dc_sourcetype values(Name) AS Name values(User) AS User values(Enabled) as Enabled BY Id | where dc_sourcetype=2

Need to add value after extracting field

alert condition

cron

email

other

python

throttling

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life