Solved: How to calculate and add missing field to source?

user93 · ‎03-11-2019

source A : filename,title,version,type,date
source B: filename,date

I want to compute the title field for source b and output that into my data where the file name has the same value for source A and B.

Goal:  source=b | table _time,filename,title

Where source b does not include the title in the _raw but source a has the same filename and also includes title in the _raw.

richgalloway · ‎03-11-2019

Try this:

(source=A OR source=B) | stats latest(_time) as _time, latest(title) as title by filename | table _time, filename, title

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-11-2019

Try this:

(source=A OR source=B) | stats latest(_time) as _time, latest(title) as title by filename | table _time, filename, title

---
If this reply helps you, Karma would be appreciated.

user93 · ‎03-11-2019

This works, but what I really want is for the events to become a new field in the search, because now I cannot add other fields lost to the stats pipe. For example, I want: | table _time,filename,title,version,w_day

richgalloway · ‎03-12-2019

To avoid losing fields to stats, include them in stats. ... | stats latest(_time) as _time, latest(title) as title latest(version) as version, latest(w_day) as w_day by filename | ....

---
If this reply helps you, Karma would be appreciated.

user93 · ‎03-12-2019

Thanks @richgalloway. I thought enough to do that, but my mistake was not carrying the by clause to the end. Makes sense to me now. Thank you.

How to calculate and add missing field to source?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes