Evaling a value based on the position of the event...

szabados · ‎09-23-2015

I create a statistics table, which is sorted, and I use head 10 at the end, to display my results. What I want to do is, to add a new column with a number value, to show the position of the event.
something like this:

col1, col2, col3, position <---- thats what I want to add
value, value, value, 1
value, value, value, 2
value, value, value, 3
value, value, value, 4

How can I achieve this ?

somesoni2 · ‎09-23-2015

I believe you just want to add rownumber type of field. Try any one of below

Your current search which give your table | eval position=1 | accum position

OR

Your current search which give your table |streamstats count as position

badrinath_itrs · ‎09-23-2015

Hi,

You can try something like this to populate the additional column .

your search ... | eval position="1,2,3,4," | makemv delim="," position | mvexpand position |  table col1, col2, col3, col4, position | head 4

You can change the position value and head command limit as per your requirement.

Hope it helps.

Thanks

Evaling a value based on the position of the event in stats ?

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Are you a member of the Splunk Community?

Evaling a value based on the position of the event in stats ?

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain