Splunk Enterprise

How to append a column to the start of the table

lostcauz3
Path Finder

| makeresults | eval TYPE="CHANGES,INCIDENT,PROBLEM,TYPE" | makemv TYPE delim="," |  mvexpand TYPE

|appendcols [subsearch]

the above one is a static column which i want to be appended at the beginning  of the resulting table in the subsearch .

is there anything wrong with the order of the query, please help I'm new to splunk.


Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It depends what it is you are trying to do.

You might want to consider a table command to remove the _time column from the makeresults

| makeresults | eval TYPE="CHANGES,INCIDENT,PROBLEM,TYPE" | makemv TYPE delim="," |  mvexpand TYPE 
| table TYPE
| appendcols [search]
0 Karma

lostcauz3
Path Finder

I tried out what you said. The TYPE column is appearing first but the order of the columns of the subsearch table is getting jumbled in the result, not sure why that is happening .

0 Karma

lostcauz3
Path Finder

Ok so the order of the fields in the subsearch table is getting alphabetically sorted then it is getting appended to this static column type, any idea how I can retain the original field order  of the subsearch table.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can use the table command to list the columns in the order you want them

0 Karma

lostcauz3
Path Finder

table "string values for kpi names",months
transpose header_field=months column_name=KPI

this is my resultant table from the above query(subsearch) and i want the type column added to the beginning of this resultant table without altering the order of this one.

KPIMonth1Month2Month3
datadatadatadata
datadatadatadata
datadatadatadata
0 Karma

lostcauz3
Path Finder

The months column is the last 3 months of data and this is dynamically generated. it will be like Oct2021,Sep2021,aug2021 that i've extracted using strftime earlier.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Transposethe makeresults, append a transposed version of the search, transpose them back again and remove the additional column

| makeresults
| eval TYPE="CHANGES,INCIDENT,PROBLEM" | makemv TYPE delim="," |  mvexpand TYPE 
| table TYPE
| transpose 0
| append 
    [| makeresults
| eval _raw="KPI	Month1	Month2	Month3
data	data	data	data
data	data	data	data
data	data	data	data" 
| multikv forceheader=1
| fields - _raw _time linecount
| transpose 0]
| transpose 0 header_field=column
| fields - column
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...