Splunk Search

Help with forming a table with sourcename next to the first column for each row?

charanramireddy
New Member

Hi,

I'm searching multiple sources in a single index and getting the results as a table. I want to display the sourcename next to the first column for each row. How can I do that ?

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

 index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local source | sort 0 - COL2

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

 index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local source | sort 0 - COL2
0 Karma

charanramireddy
New Member

this is exactly what I was looking for.

0 Karma

Sukisen1981
Champion

index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local | sort 0 - COL2
If I just add
index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local, latest (source) as COL5 | sort 0 - COL2
or if you want to see ALL the source values in one go
index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local, values (source) as COL5 | sort 0 - COL2

Coming back to what @niketnilay is asking is source an auto discovered field or you want to extract a custom source field?

0 Karma

charanramireddy
New Member

This is my sample search

index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local | sort 0 - COL2

and I want a new column appended with source values as second column.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You mean like this?

<base search> | table foo source ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

charanramireddy
New Member

yes but

table  "prior column names" source 

shows empty column for source.

0 Karma

niketn
Legend

@charanramireddy, Are you saying the following works

 <YourBaseSearch>
| table source foo

But revrsing the sequence does not?

 <YourBaseSearch>
| table source foo

What type of data input is it? What is going to be the first column in the table? Are you able to see source names when you run your base search under interesting fields? What is the exact table command you are running?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Sukisen1981
Champion

not really claer what you want, can you give a sample of what your table looks like currently and how you would want it to appear?

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...