Solved: Search term in table results

bullbasin · ‎10-29-2024

Ok maybe it is too much Splunk today. Whatever it is I can not for the life of me remember how to do this.

I am doing a basic search on some logs. I want to show the search term in the table results. The term is being queried out of the _raw

index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| top Environment by userid
|  table  Environment, userid

Where and how to I add "THE_TERM" to the table results?

ITWhisperer · ‎10-30-2024

index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| eval option="THE_TERM"

View solution in original post

ITWhisperer · ‎10-30-2024

index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| eval option="THE_TERM"

richgalloway · ‎10-29-2024

If the search term is a fixed string then just add it to the table command.

| table Environment, userid, "THE_TERM"

---
If this reply helps you, Karma would be appreciated.

bullbasin · ‎10-30-2024

Unfortunately it is not a fixed term or field. It is just a random term for a search. Similar to using a search in MS Word for "FOO" in a 10,000 page document. Now I am trying to figure out how to make that useful in the table as a result. I have tried an input file this morning but not familiar with working with that.

Table desired....

Environment	userid	option
abc	defgh	THE TERM

richgalloway · ‎10-30-2024

Where does the term come from?

---
If this reply helps you, Karma would be appreciated.

bullbasin · ‎10-30-2024

The term is being queried out of the _raw. Which is also the field "Log"

richgalloway · ‎10-30-2024

Thank you, but I was wanting to learn where the random text "THE_TERM" comes from and how it gets into the query.

---
If this reply helps you, Karma would be appreciated.

Search term in table results

table

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability