I'm drawing in multiple files that look something like this... and I need to be able to distinguish between data drawn in from one file as compared to another. So I'm looking to bring something from the header section of the file into the rows.
File #1
\DATA_CATEGORY = "AXA Curve"
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
\PUBLIC = "Y"
\NUMBER_OF_POINTS = "1090"
Col1 Col2 Col3
0001 9876 5555
0001 9876 5555
0001 9876 5555
File #2
\DATA_CATEGORY = "EXA Curve"
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
\PUBLIC = "Y"
\NUMBER_OF_POINTS = "1090"
Col1 Col2 Col3
0002 3333 6666
0002 4444 6666
0002 2222 6666
What I'm trying to end up with is...
Col1 Col2 Col3 Col4
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0002 3333 6666 EXA Curve
0002 4444 6666 EXA Curve
0002 2222 6666 EXA Curve
So I can run reports on AXA and EXA separately. Any ideas?
Thanks,
Peter
I can get the following search to work...
sourcetype=MySource | eventstats max(DATA_CATEGORY) by source
...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...
sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source
I found another posts that suggested the following would work, but it failed to return anything at all
sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn
so I'm close, but no cigar... any ideas?
I can get the following search to work...
sourcetype=MySource | eventstats max(DATA_CATEGORY) by source
...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...
sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source
I found another posts that suggested the following would work, but it failed to return anything at all
sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn
so I'm close, but no cigar... any ideas?
I think the final search should be
sourcetype=MySource | eventstats max(DATA_CATEGORY) as MyColumn by source | eval ShowColumn = MyColumn
Dave
Perfect. Thank you 🙂
Why not use source? Source will be the name of the file these events were extracted from.
The file names aren't distinct enough, and don't properly identify the value I need. I really just need to be able to use a value from the header as a constant within those particular results.