Archive

How do I add a static column to search results?

New Member

I have a search that is pulling the number of times a service makes a call to an operation per hour. I have the base search working properly and would now like to add a static column that shows the SLA for each operation, but I am unsure how to do that and would appreciate some guidance.

Thanks!

loggingAppId=APPNAME|eval callingAppAndOperation=callingAppId.".".loggingOperationName |bin _time span=1h |stats count As HourlyTotal by _time, callingAppAndOperation |sort -HourlyTotal |dedup callingAppAndOperation |sort callingAppAndOperation
Tags (1)
0 Karma

Super Champion

Hey t@jsights,

You should either use a csv file as a lookup or kvstore to list all your static SLAs per operation. Then use the lookup command like this :

loggingAppId=APPNAME|eval callingAppAndOperation=callingAppId.".".loggingOperationName |bin _time span=1h |stats count As HourlyTotal by _time, callingAppAndOperation |sort -HourlyTotal |dedup callingAppAndOperation |sort callingAppAndOperation | lookup callingAppAndOperation yourLookupDefintionName OUTPUTNEW SLA

Cheers,
David

0 Karma

SplunkTrust
SplunkTrust

@jsights,

If you have different SLA for each type operation, try adding them into a lookup file and use it in your search.

i.e.
1. Create a look up table with Operation, SLA
2. Add the lookup to your search

Reference : https://docs.splunk.com/Documentation/Splunk/7.2.0/Knowledge/Aboutlookupsandfieldactions