Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to add a column

Keerthi
Path Finder
‎06-30-2023 03:29 AM

Hi , needed a help. i need to add a column that is added newly to the sql data.below is the query
| savedsearch ABC
| join type=left BS_ID [| search index="PQR" source=XYZ
| rename BS_CODE as BS_ID SERVICE_OWNER as "System Owner" BUSINESS_OWNER as "Business Owner" SERVICE_SUBCATEGORY as Function SDM_FULLNAME as SDM
| sort LOGICAL_NAME | eval Application = DESCRIPTION
| rex mode=sed field=Application "s/^Managed//g" | rex mode=sed field=Application "s/Application$//g" | rex mode=sed field=Application "s/application$//g"
| eval Application = trim(Application)
| streamstats count as NO by BS_ID
| eventstats max(NO) as MaxTotal by BS_ID
| where NO=MaxTotal
|eval Function=case(Function="Service Excellence COE" and Application="Medical Insights Reporting","Service Excellence CoE",1=1,Function)
| table BS_ID Application Function SDM "System Owner" "Business Owner"]
| lookup countries.csv name as COUNTRY outputnew latitude, longitude, name
| eval COUNTRY = if(isnull(COUNTRY),"NA",COUNTRY)
| eval DEPARTMENT_LONG_NAME = if(isnull(DEPARTMENT_LONG_NAME),"NA",DEPARTMENT_LONG_NAME)
| eval DEPARTMENT_SHORT_NAME = if(isnull(DEPARTMENT_SHORT_NAME),"NA",DEPARTMENT_SHORT_NAME)

my ABC savedsearch has a column newly added as Category. i need to get into this saved search

Keerthi_0-1688120984970.png

 


Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2023 04:01 AM

Hi

Based on your query, it should be there (just "correctly" formatted,  You get this by press Ctrl/Cmd+F)

| savedsearch ABC 
| join type=left BS_ID 
    [| search index="PQR" source=XYZ 
    | rename BS_CODE as BS_ID SERVICE_OWNER as "System Owner" BUSINESS_OWNER as "Business Owner" SERVICE_SUBCATEGORY as Function SDM_FULLNAME as SDM 
    | sort LOGICAL_NAME 
    | eval Application = DESCRIPTION 
    | rex mode=sed field=Application "s/^Managed//g" 
    | rex mode=sed field=Application "s/Application$//g" 
    | rex mode=sed field=Application "s/application$//g" 
    | eval Application = trim(Application) 
    | streamstats count as NO by BS_ID 
    | eventstats max(NO) as MaxTotal by BS_ID 
    | where NO=MaxTotal 
    | eval Function=case(Function="Service Excellence COE" and Application="Medical Insights Reporting","Service Excellence CoE",1=1,Function) 
    | table BS_ID Application Function SDM "System Owner" "Business Owner"] 
| lookup countries.csv name as COUNTRY outputnew latitude, longitude, name 
| eval COUNTRY = if(isnull(COUNTRY),"NA",COUNTRY) 
| eval DEPARTMENT_LONG_NAME = if(isnull(DEPARTMENT_LONG_NAME),"NA",DEPARTMENT_LONG_NAME) 
| eval DEPARTMENT_SHORT_NAME = if(isnull(DEPARTMENT_SHORT_NAME),"NA",DEPARTMENT_SHORT_NAME)

Are you sure that your

| savedsearch ABC

 return that field, when you are running it that way?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...