Splunk Search

How can you add a value from the header of a file into the various rows?

Explorer

I'm drawing in multiple files that look something like this... and I need to be able to distinguish between data drawn in from one file as compared to another. So I'm looking to bring something from the header section of the file into the rows.

File #1
\DATA_CATEGORY = "AXA Curve"
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
\PUBLIC = "Y"
\NUMBER_OF_POINTS = "1090"
Col1 Col2 Col3
0001 9876 5555
0001 9876 5555
0001 9876 5555

File #2
\DATA_CATEGORY = "EXA Curve"
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
\PUBLIC = "Y"
\NUMBER_OF_POINTS = "1090"
Col1 Col2 Col3
0002 3333 6666
0002 4444 6666
0002 2222 6666

What I'm trying to end up with is...
Col1 Col2 Col3 Col4
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0002 3333 6666 EXA Curve
0002 4444 6666 EXA Curve
0002 2222 6666 EXA Curve

So I can run reports on AXA and EXA separately. Any ideas?

Thanks,
Peter

1 Solution

Explorer

I can get the following search to work...

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source

...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...

sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source

I found another posts that suggested the following would work, but it failed to return anything at all

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn

so I'm close, but no cigar... any ideas?

View solution in original post

0 Karma

Explorer

I can get the following search to work...

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source

...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...

sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source

I found another posts that suggested the following would work, but it failed to return anything at all

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn

so I'm close, but no cigar... any ideas?

View solution in original post

0 Karma

Contributor

I think the final search should be

sourcetype=MySource | eventstats max(DATA_CATEGORY) as MyColumn by source | eval ShowColumn = MyColumn

Dave

0 Karma

Explorer

Perfect. Thank you 🙂

0 Karma

Legend

Why not use source? Source will be the name of the file these events were extracted from.

0 Karma

Explorer

The file names aren't distinct enough, and don't properly identify the value I need. I really just need to be able to use a value from the header as a constant within those particular results.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!