Evaling a value based on the position of the event...

szabados · ‎09-23-2015

I create a statistics table, which is sorted, and I use head 10 at the end, to display my results. What I want to do is, to add a new column with a number value, to show the position of the event.
something like this:

col1, col2, col3, position <---- thats what I want to add
value, value, value, 1
value, value, value, 2
value, value, value, 3
value, value, value, 4

How can I achieve this ?

somesoni2 · ‎09-23-2015

I believe you just want to add rownumber type of field. Try any one of below

Your current search which give your table | eval position=1 | accum position

OR

Your current search which give your table |streamstats count as position

badrinath_itrs · ‎09-23-2015

Hi,

You can try something like this to populate the additional column .

your search ... | eval position="1,2,3,4," | makemv delim="," position | mvexpand position |  table col1, col2, col3, col4, position | head 4

You can change the position value and head command limit as per your requirement.

Hope it helps.

Thanks

Evaling a value based on the position of the event in stats ?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Evaling a value based on the position of the event in stats ?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...