Is there a way to report on the position of an event relative to the rest of the events in the result set?
For example, if I have five events in my result set, is there a way to display each event along with the position number relative in time to the other events, kind of like showing the ordering or row number?
Like this:
User Row_Position ---- ------------ Eric 1
Greg 2
Gerald 3
Ledio 4
Mick 5
where the event containing the User=Eric is the earliest in time, the one with User=Greg is second one in time after that one, the event with User=Gerald is the next event in time after that one, etc.
BTW, when I create a table with my search, I notice a grayed-out row number on the far left side of the table in the search results page. Can I reference that? If so, what is the name of that field?
When viewing returned events (but not results) there is a field _serial
that is returned with each event. The field is the zero-based index of the event within the original set of returned events (before other commands are run against the set).
Results, which are the results of stats
, chart
, or timechart
commands will not have such a field, as those will only have the fields you are summarizing. You could add such a field once your results are complete with | eval c=1 | accum c
or | streamstats count as c
commands though.
When viewing returned events (but not results) there is a field _serial
that is returned with each event. The field is the zero-based index of the event within the original set of returned events (before other commands are run against the set).
Results, which are the results of stats
, chart
, or timechart
commands will not have such a field, as those will only have the fields you are summarizing. You could add such a field once your results are complete with | eval c=1 | accum c
or | streamstats count as c
commands though.
Cool. The accum command did the trick. Exactly what I needed. Thanks!