Evaling a value based on the position of the event...

szabados · ‎09-23-2015

I create a statistics table, which is sorted, and I use head 10 at the end, to display my results. What I want to do is, to add a new column with a number value, to show the position of the event.
something like this:

col1, col2, col3, position <---- thats what I want to add
value, value, value, 1
value, value, value, 2
value, value, value, 3
value, value, value, 4

How can I achieve this ?

somesoni2 · ‎09-23-2015

I believe you just want to add rownumber type of field. Try any one of below

Your current search which give your table | eval position=1 | accum position

OR

Your current search which give your table |streamstats count as position

badrinath_itrs · ‎09-23-2015

Hi,

You can try something like this to populate the additional column .

your search ... | eval position="1,2,3,4," | makemv delim="," position | mvexpand position |  table col1, col2, col3, col4, position | head 4

You can change the position value and head command limit as per your requirement.

Hope it helps.

Thanks

Evaling a value based on the position of the event in stats ?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Evaling a value based on the position of the event in stats ?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers