Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to append a column to the start of the table

lostcauz3
Path Finder
‎11-11-2021 10:21 AM

| makeresults | eval TYPE="CHANGES,INCIDENT,PROBLEM,TYPE" | makemv TYPE delim="," |  mvexpand TYPE

|appendcols [subsearch]

the above one is a static column which i want to be appended at the beginning  of the resulting table in the subsearch .

is there anything wrong with the order of the query, please help I'm new to splunk.


Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2021 10:45 AM

It depends what it is you are trying to do.

You might want to consider a table command to remove the _time column from the makeresults

| makeresults | eval TYPE="CHANGES,INCIDENT,PROBLEM,TYPE" | makemv TYPE delim="," |  mvexpand TYPE 
| table TYPE
| appendcols [search]
0 Karma
Reply

lostcauz3
Path Finder
‎11-11-2021 10:56 AM

I tried out what you said. The TYPE column is appearing first but the order of the columns of the subsearch table is getting jumbled in the result, not sure why that is happening .

0 Karma
Reply

lostcauz3
Path Finder
‎11-11-2021 10:59 AM

Ok so the order of the fields in the subsearch table is getting alphabetically sorted then it is getting appended to this static column type, any idea how I can retain the original field order  of the subsearch table.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2021 10:58 AM

You can use the table command to list the columns in the order you want them

0 Karma
Reply

lostcauz3
Path Finder
‎11-11-2021 11:05 AM

table "string values for kpi names",months
transpose header_field=months column_name=KPI

this is my resultant table from the above query(subsearch) and i want the type column added to the beginning of this resultant table without altering the order of this one.

KPIMonth1Month2Month3
datadatadatadata
datadatadatadata
datadatadatadata
0 Karma
Reply

lostcauz3
Path Finder
‎11-11-2021 11:05 AM

The months column is the last 3 months of data and this is dynamically generated. it will be like Oct2021,Sep2021,aug2021 that i've extracted using strftime earlier.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2021 03:37 PM

Transposethe makeresults, append a transposed version of the search, transpose them back again and remove the additional column

| makeresults
| eval TYPE="CHANGES,INCIDENT,PROBLEM" | makemv TYPE delim="," |  mvexpand TYPE 
| table TYPE
| transpose 0
| append 
    [| makeresults
| eval _raw="KPI	Month1	Month2	Month3
data	data	data	data
data	data	data	data
data	data	data	data" 
| multikv forceheader=1
| fields - _raw _time linecount
| transpose 0]
| transpose 0 header_field=column
| fields - column
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...