Re: Add a new column,except "Time" "Event".

dovelsh12223621 · ‎05-12-2015

I want to add a new column,just like host to default the search results display .You know the searchstring like "index=_internal “ will show us ：
Time Event

I want to add a new column,so the search results will display:
Time Host Event

Please,give me some advices,thanks.

jeffland · ‎05-12-2015

If you want a table, use table with the columns you are interested in:

index=_internal | table _time host sourcetype

If you want the entire event, use

index=_internal | table _time host _raw

dovelsh12223621 · ‎05-12-2015

Yeah ,I know table .However,the table have no friendly user interface.I am sorry with it,also.I want to the search results display .Just like "index=_internal “ will show us ,and add new column like (host).Please,help me.

jeffland · ‎05-12-2015

Ah. Maybe the option to show those events as a table instead of a list is what you want. Under the green bars showing the count of results over time when you search for index=_internal, click on the leftmost option which should say "List" by default, next to "Format" and "20 per page". Select "Table" there instead of list, and you will see that besides the timestamp there are columns for all fields that are selected. If you do this and in the event sidebar select host and whichever other fields you are interested in, maybe this is what you need.

Although in a way, this is pretty much the same as table does.

Add a new column,except "Time" "Event".

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!