How to add a column to the results table based on ...

ivtashev · ‎04-25-2018

Hello:

I am trying to add a column to the results table, the reason for this is so that I can then use that value for populating a token. Here is the search:

1.  <search here> 
2.  | chart latest(Data) AS "Data" over Time by Thread
3.  | sort + Time 
4.  | eval Goal=25 
5.  | eval Min=18 
6.  | eval LastPrimer=Primer

The results table of this looks like:

  Time   Goal    Min             data1    data2    data3
    0    25          18                   29.2728     26.2105   14.8187
    1    25          18                 29.6007   28.9153   14.9330

I want to also see LastPrimer in the results table. Primer is an indexed field.

TISKAR · ‎04-25-2018

Hello,

You can use appendcols command:

<search here> 
  | chart latest(Data) AS "Data" over Time by Thread
  | sort + Time 
  | eval Goal=25 
  | eval Min=18 
  | appendcols [search <search here> | eval LastPrimer=Primer | table LastPrimer`]

Simple Example (You can past this request in your bare search):

  index="_internal" 
    | bin _time span=1d
    | stats count by _time
    | appendcols 
        [search index="_internal" 
        | table log_level 
        | dedup log_level]

How to add a column to the results table based on an existing field?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?

How to add a column to the results table based on an existing field?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management