Splunk Search

How can I add a new field to my table?

tkwaller_2
Communicator

Hello

I have a very long search(so I wont paste it all unless necessary) that tables a bunch of data. The field DaysPastDue is eval'd/calculated.

but heres the end of the search that tables the data:

|table AssessmentName RiskRank "Workflow Name" "Workflow Phase" "Workflow Process Name" "Workflow Step Name" SLA DaysPastDue "Workflow Step Sort Order"
|rename "Workflow Phase" AS "Phase Name" "Workflow Process Name" AS "Process Name" "Workflow Step Name" AS "Step Name" "Workflow Step Sort Order" as "Step Order"
| sort AssessmentName RiskRank "Workflow Name" "Phase Name" "Process Name" "Step Name"

Trying add a few more fields but I cant seem to think of HOW. Currently I have in the table: AssessmentName RiskRank "Workflow Name" "Phase Name" "Process Name" "Step Name" SLA DaysPastDue "Step Order"

AssessmentName  RiskRank    Workflow Name   Phase Name  Process Name    Step Name   SLA DaysPastDue Step Order
Ernie and Oldguy - 2018 - Todd  Ernie and Oldguy - Accounting and Audit Services RR RISK RANK   PLAN    Risk Rank   Risk Rank Approved  3   0   2
Ernie and Oldguy - 2018 - Todd  Ernie and Oldguy - Accounting and Audit Services RR RISK RANK   PLAN    Risk Rank   Risk Rank Reviewed  3   0   1
Ernie and Oldguy - 2018 - Todd  Ernie and Oldguy - Accounting and Audit Services RR RISK RANK   PLAN    Risk Rank   Risk Rank Submitted by Business 2   0   0
Ernie and Oldguy - 2018 - Todd  Ernie and Oldguy - Consulting Services RR   RISK RANK   PLAN    Risk Rank   Risk Rank Approved  3   0   2
Ernie and Oldguy - 2018 - Todd  Ernie and Oldguy - Consulting Services RR   RISK RANK   PLAN    Risk Rank   Risk Rank Reviewed  3   0   1
Ernie and Oldguy - 2018 - Todd  Ernie and Oldguy - Consulting Services RR   RISK RANK   PLAN    Risk Rank   Risk Rank Submitted by Business 2   0   0
Johnson Johnson and Johnson LLP - Legal Services - SIG Lite 2018    Johnson Johnson and Johnson LLP - Legal Services RR RISK RANK   PLAN    Risk Rank   Risk Rank Approved  3   0   2
Johnson Johnson and Johnson LLP - Legal Services - SIG Lite 2018    Johnson Johnson and Johnson LLP - Legal Services RR RISK RANK   PLAN    Risk Rank   Risk Rank Reviewed  3   0   1
Johnson Johnson and Johnson LLP - Legal Services - SIG Lite 2018    Johnson Johnson and Johnson LLP - Legal Services RR RISK RANK   PLAN    Risk Rank   Risk Rank Submitted by Business 2   0   0
Roumen Test United Rentals Risk Rank 2  General Assessment  Due Dilligence  Internal Kickoff    Completed   5   88  1
Roumen Test United Rentals Risk Rank 2  General Assessment  Due Dilligence  Internal Kickoff    Scheduled   5   93  0

What Im trying to do next is create field called BEST that evaluates all of the "Step Name" for a given AssessmentName RiskRank "Workflow Name" "Phase Name" "Process Name" and returns the lowest value of DaysPastDue
BUT
I want to also keep the table above, so basically this would be another column after "Step Order"

Any ideas on how I could achieve this?
Thanks for the help!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

YOu'd need eventstats command to calculate that which does the aggregation without affecting current result set (I mean unless you make the eventstats output column same as what you already have, you'd have you current result intact). Like this

..previous portion of search ...
|table AssessmentName RiskRank "Workflow Name" "Workflow Phase" "Workflow Process Name" "Workflow Step Name" SLA DaysPastDue "Workflow Step Sort Order"
 |rename "Workflow Phase" AS "Phase Name" "Workflow Process Name" AS "Process Name" "Workflow Step Name" AS "Step Name" "Workflow Step Sort Order" as "Step Order"
 | sort AssessmentName RiskRank "Workflow Name" "Phase Name" "Process Name" "Step Name"
| eventstats min(DaysPastDue) as BEST by AssessmentName RiskRank "Workflow Name" "Phase Name" "Process Name" 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

YOu'd need eventstats command to calculate that which does the aggregation without affecting current result set (I mean unless you make the eventstats output column same as what you already have, you'd have you current result intact). Like this

..previous portion of search ...
|table AssessmentName RiskRank "Workflow Name" "Workflow Phase" "Workflow Process Name" "Workflow Step Name" SLA DaysPastDue "Workflow Step Sort Order"
 |rename "Workflow Phase" AS "Phase Name" "Workflow Process Name" AS "Process Name" "Workflow Step Name" AS "Step Name" "Workflow Step Sort Order" as "Step Order"
 | sort AssessmentName RiskRank "Workflow Name" "Phase Name" "Process Name" "Step Name"
| eventstats min(DaysPastDue) as BEST by AssessmentName RiskRank "Workflow Name" "Phase Name" "Process Name" 

tkwaller_2
Communicator

For the win. I used the wrong search command.
Thanks again

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...