Solved: Re: Search term in table results

bullbasin

Ok maybe it is too much Splunk today. Whatever it is I can not for the life of me remember how to do this.

I am doing a basic search on some logs. I want to show the search term in the table results. The term is being queried out of the _raw

index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| top Environment by userid
|  table  Environment, userid

Where and how to I add "THE_TERM" to the table results?

ITWhisperer

index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| eval option="THE_TERM"

View solution in original post

ITWhisperer

index=myindex sourcetype=mystuff Environment=thisone "THE_TERM"
| eval option="THE_TERM"

richgalloway

If the search term is a fixed string then just add it to the table command.

| table Environment, userid, "THE_TERM"

---
If this reply helps you, Karma would be appreciated.

bullbasin

Unfortunately it is not a fixed term or field. It is just a random term for a search. Similar to using a search in MS Word for "FOO" in a 10,000 page document. Now I am trying to figure out how to make that useful in the table as a result. I have tried an input file this morning but not familiar with working with that.

Table desired....

Environment	userid	option
abc	defgh	THE TERM

richgalloway

Where does the term come from?

---
If this reply helps you, Karma would be appreciated.

bullbasin

The term is being queried out of the _raw. Which is also the field "Log"

richgalloway

Thank you, but I was wanting to learn where the random text "THE_TERM" comes from and how it gets into the query.

---
If this reply helps you, Karma would be appreciated.

Search term in table results

table

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...