Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

ktrumpol
Path Finder
‎07-02-2013 07:51 PM

Hey guys, having a little trouble with this one.

How does one include the index in a table. This doesn't work:

(index=cwdswindows OR index=cwds) earliest_time="-7d"| stats max(_time) AS last_seen by host | sort host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(last_seen) | table host, last_seen, index

I know it is pretty obvious by which index I search that is obviously the resulting index, but it would be nice if when I am sent the alert I can visibly see the source of the host and time last seen in my data table. I'm guessing since index is not a field, but rather a source full of fields, that is the issue. What is the way around this?

Thanks for any help at all!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

grijhwani
Motivator
‎07-02-2013 08:49 PM

You need to include index in your "stats" clause, otherwise it will not be present for the table clause.

Initially I thought it was because you had "convert" before rather than after "table", but that works either way.

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-02-2013 09:49 PM

index is an ordinary field like any other. The reason it does not appear for you is that your stats command removes it. It will remove any field except those specified. If you really only have a single index, you modify your stats command by adding either first(index) as index, adding index to the split-by clause.

Reply
Solved! Jump to solution
Solution

grijhwani
Motivator
‎07-02-2013 08:49 PM

You need to include index in your "stats" clause, otherwise it will not be present for the table clause.

Initially I thought it was because you had "convert" before rather than after "table", but that works either way.

Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-03-2013 07:29 AM

Ahah! Including index in my stats clause definitely fixed the issue. Thank you thank you.

0 Karma
Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-02-2013 08:57 PM

Awesome! Thank you for trying to replicate my search to accurately diagnose the issue. I'll be sure to try this and vote your answer if it works.

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎07-02-2013 08:19 PM

it should work like that, you can try without the commas

table host last_seen index
0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎07-02-2013 09:01 PM

No, I did not use convert, he may be right then

0 Karma
Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-02-2013 08:58 PM

Did you try using convert in your search? The guy below said that when using convert, it has to come after table.

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎07-02-2013 08:32 PM

I tried showing the index field in a table and it worked for me with and without the commas... it's worth trying 😉

0 Karma
Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-02-2013 08:24 PM

Hm I can't imagine without commas would make the difference, but I will try when I get back to my machine tomorrow! I'll let you know. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...