How to add new field in existing index

jadengoho · ‎01-23-2018

I have a index that have 2 fields only
index="TRIAL_INDEX" fields: sample1, sample2

And i will make a new field by
index="TRIAL_INDEX"
| eval sample3= sample1+sample2

What i want is that sample3 would add to the index , so the next time i search it will appear anywhere.

mayurr98 · ‎01-23-2018

hey try this

go to Fields » Calculated fields » Add new
Put Name: sample3
Eval Expression : sample1+sample2

let me know if this helps!

jadengoho · ‎01-23-2018

Yes it is helpful , but is there a way that it will be triggered when a BUTTON CLICK in the dashboard ? or in the SPL itself ?

mayurr98 · ‎01-23-2018

I do not know but this is achievable by js on a dashboard but then it will not reflect in a raw data.This is the only method I think to reflect in a raw data by default.

cmerriman · ‎01-23-2018

you're wanting sample3 always in your results without having to add that eval statement?

jadengoho · ‎01-23-2018

what i want is the sample1, sample2, sample3 would be in the index .
After i eval it i like it to be insert to the index , if that is possible .

How to add new field in existing index

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How to add new field in existing index

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases