Try this:
| stats count as echo | eval echo = "foo"
That'll produce one result with a field echo
and a value "foo"
.
You can also do:
| localop | stats count | eval myliteral="Whatever" | table myliteral
Try this:
| stats count as echo | eval echo = "foo"
That'll produce one result with a field echo
and a value "foo"
.
Why is the first | in front of stats needed? You don't need it to do just a search, but this stats command does not work without it. Thank you.
Without the pipe you're searching for the word "stats" .
Note, by now there is the explicit command | makeresults
to create an empty result, it's slightly more efficient than stats and much more readable.
Worked great, thanks.
there no command in splunk that function exactly like the command ech of linux. but from a combination of command you get the result that you want .
and Display High values of a field , you can use commands such as "table"; "field" .....
to change the field values you use the "eval"; ...
you can use macro to simulate aproche
or map command, see this example can help you:
sourcetype=syslog sudo | stats count by user host | map search="search
index=ad_summary username=$user$ type_logon=ad_last_logon"
Not sure that will do the trick. Sorry. Can you be more precise? In fact, that answer looks like a direct copy and paste from an unrelated question and answer.
|eval column='literal'
When entered in the search bar, no results are found. Can you please be more specific? Thanks.
What are you trying to achieve?
Enter something in the search bar and it is returned in the search results. Similar to echo.