How to add additional columns in search results ba...

email2vimalraj · ‎10-03-2019

I've a search like this:

(api=*/getUser) OR (api=/api/v1/addUser component=Comp1) OR (api=/api/v1/addUser component=Comp2) | table api, component

But I wanted to add two more columns some thing like the below:

latency            flowname api                    component
Latency from comp1  Get User    /comp1/api/v1/getUser   Comp1
Latency from comp2  Get User    /comp2/api/v1/getUser   Comp2
Latency from comp1  Add User    /api/v1/addUser           Comp1
Latency from comp2  Add User    /api/v1/addUser           Comp2

I thought to use eval, but writing eval with many checks and balances in case of many API component combination doesn't sound great. Is there any solution to handle it?

gcusello · ‎10-03-2019

Hi email2vimalraj,
if you have many but not thousands combinations, you could use a lookup in which insert the possible combinations to display.

I don't know if the example are exaustive, but it seems possible to extract them using regexes and eval:

| rex field=api ".*\/(?<flowName>\w+)$"
| eval latency="latency from ".component, flowName=case(flowName="getUser","Get User",flowName="addUser","Add User")

Bye.
Giuseppe

How to add additional columns in search results based on the field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!