Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add an additional dummy row to a table?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tromero3
Path Finder
08-24-2020
01:45 PM
I have a search that outputs a table with two columns, one for log source one for total count (using stats count).
I'd like to add additional rows to the table where I can enter a custom field name for the "Log Source" column, and then the total count column will be empty for that row. This will be for exporting the results of the table to CSV and the additional rows I will be adding will be empty so I can enter whatever value I want in the Total Count column and save it.
So, this is how I would want it to look after the search is run (where Custom1 and Custom2 are the field names of the empty rows that I will be adding).
Is this possible and how would I go about it? Thank you!
Log Source Total Events
A 20
B 100
C 50
Custom1
Custom2
Current query:
index=A or index=B or index=C
| eval "Log Source"=case(index == "A", "indexA", index == "B", "indexB", index == "C", "IndexC")
| stats count by "Log Source"
| append [| makeresults | eval indexA="", indexB="", indexC="" | table indexA indexB indexC | transpose column_name="Log Source" ]
| stats max(count) AS count BY "Log Source"
| fillnull value=0 count
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tromero3
Path Finder
08-27-2020
08:16 AM
Thank you. I played around with it but could not get appendpipe to work properly. I was able to add the additional rows by using my existing search and adding the values within the append search ("TEST" below ).
index=A or index=B or index=C
| eval "Log Source"=case(index == "A", "indexA", index == "B", "indexB", index == "C", "IndexC")
| stats count by "Log Source"
| append [| makeresults | eval indexA="", indexB="", indexC="", TEST="" | table indexA indexB indexC TEST | transpose column_name="Log Source" ]
| stats max(count) AS count BY "Log Source"
| fillnull value=0 count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
08-24-2020
02:25 PM
try appendpipe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tromero3
Path Finder
08-27-2020
08:16 AM
Thank you. I played around with it but could not get appendpipe to work properly. I was able to add the additional rows by using my existing search and adding the values within the append search ("TEST" below ).
index=A or index=B or index=C
| eval "Log Source"=case(index == "A", "indexA", index == "B", "indexB", index == "C", "IndexC")
| stats count by "Log Source"
| append [| makeresults | eval indexA="", indexB="", indexC="", TEST="" | table indexA indexB indexC TEST | transpose column_name="Log Source" ]
| stats max(count) AS count BY "Log Source"
| fillnull value=0 count
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
