Splunk Search
Highlighted

Can I tag with search?

Explorer

I would like to tag you at search time.
I'd like to tag the result of the calculation when searching.

ex )
LogID Data1 Data2
1 323 421
2 391 117
3 341 221
4 268 230
5 182 311
6 277 213
7 57 177
8 27 251
9 72 235
10 201 257

Tag the sum of Data 1 and Data 2.

result:

LogID Data1 Data2 tag
1   323   421   744
2   391   117   508
3   341   221   562
4   268   230   498
5   182   311   493
6   277   213   490
7   57   177   234
8   27   251   278
9   72   235   307
10   201   257   458

index=sample
| eval sum=Data1+Data2
| tags outputfield=sum tag  ###Example Tagging syntax

I want you to tell me.
If I can not do that, will I use a summary index etc?

0 Karma
Highlighted

Re: Can I tag with search?

Champion

as field "sum" is not indexed, i think you can not use it as a tag.
i think what you are looking for is "calculated field".

0 Karma
Highlighted

Re: Can I tag with search?

Explorer

Why not just

| eval tag=Data1+Data2 ?

If you need both tag and sum fields, you can also
| eval sum=tag

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.