Solved: Refer to a field in table by its position

nabeel652 · ‎07-15-2019

Wondering if we can do something like this:

... | table * | sort by <1>

Where <1> refers to the first field in the table as the field names are dynamic and subject to change.

HiroshiSatoh · ‎07-15-2019

If the order of field names is acceptable

 ... | table * |sort [search (your search)|head 1 | table * | stats dc(*) as * | transpose |head 1|rename column as query]

HiroshiSatoh · ‎07-15-2019

If the order of field names is acceptable

 ... | table * |sort [search (your search)|head 1 | table * | stats dc(*) as * | transpose |head 1|rename column as query]

nabeel652 · ‎07-15-2019

Awesome, that worked. Can you please explain this?

| rename column as query

HiroshiSatoh · ‎07-15-2019

The return value will be the value only. Usually field = value.

special field：query

index=* [inputlookup xxx.csv | fields col_a]
->(col_a=1) OR (col_a=2) OR (col_a=3) ・・・・

index=* [inputlookup xxx.csv | rename col_a as query | fields query]
->(1) OR (2) OR (3) ・・・・

jkat54 · ‎07-15-2019

Try this

 | stats values(*) as * | sort 0 *

nabeel652 · ‎07-15-2019

Nope, this will group everything up in one cell which is not the desired outcome 🙂

Refer to a field in table by its position