Splunk Search

How can you add a value from the header of a file into the various rows?


I'm drawing in multiple files that look something like this... and I need to be able to distinguish between data drawn in from one file as compared to another. So I'm looking to bring something from the header section of the file into the rows.

File #1
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
Col1 Col2 Col3
0001 9876 5555
0001 9876 5555
0001 9876 5555

File #2
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
Col1 Col2 Col3
0002 3333 6666
0002 4444 6666
0002 2222 6666

What I'm trying to end up with is...
Col1 Col2 Col3 Col4
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0002 3333 6666 EXA Curve
0002 4444 6666 EXA Curve
0002 2222 6666 EXA Curve

So I can run reports on AXA and EXA separately. Any ideas?


1 Solution


I can get the following search to work...

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source

...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...

sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source

I found another posts that suggested the following would work, but it failed to return anything at all

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn

so I'm close, but no cigar... any ideas?

View solution in original post

0 Karma


I can get the following search to work...

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source

...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...

sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source

I found another posts that suggested the following would work, but it failed to return anything at all

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn

so I'm close, but no cigar... any ideas?

0 Karma


I think the final search should be

sourcetype=MySource | eventstats max(DATA_CATEGORY) as MyColumn by source | eval ShowColumn = MyColumn


0 Karma


Perfect. Thank you 🙂

0 Karma


Why not use source? Source will be the name of the file these events were extracted from.

0 Karma


The file names aren't distinct enough, and don't properly identify the value I need. I really just need to be able to use a value from the header as a constant within those particular results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Index This | What gets bigger the more you remove?

June 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...