Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add a column to the results table based on an existing field?

ivtashev
New Member
‎04-25-2018 01:36 PM

Hello:

I am trying to add a column to the results table, the reason for this is so that I can then use that value for populating a token. Here is the search:

1.  <search here> 
2.  | chart latest(Data) AS "Data" over Time by Thread
3.  | sort + Time 
4.  | eval Goal=25 
5.  | eval Min=18 
6.  | eval LastPrimer=Primer

The results table of this looks like:

  Time   Goal    Min             data1    data2    data3
    0    25          18                   29.2728     26.2105   14.8187
    1    25          18                 29.6007   28.9153   14.9330

I want to also see LastPrimer in the results table. Primer is an indexed field.

Tags (4)
0 Karma
Reply

TISKAR
Builder
‎04-25-2018 03:19 PM

Hello,

You can use appendcols command:

<search here> 
  | chart latest(Data) AS "Data" over Time by Thread
  | sort + Time 
  | eval Goal=25 
  | eval Min=18 
  | appendcols [search <search here> | eval LastPrimer=Primer | table LastPrimer`]

Simple Example (You can past this request in your bare search):

  index="_internal" 
    | bin _time span=1d
    | stats count by _time
    | appendcols 
        [search index="_internal" 
        | table log_level 
        | dedup log_level]
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...