I'm currently producing a table from a search. There is some static data that needs to be added which is not in the index and needs to be added at search time. I'm toying with the idea to create a new search command to do this, is there an easier way?
* | table name phone
Let's assume I need to add another name?
* | dummy_event name=bob, phone=555-1234 |table name phone
There are a few options on how to do this without creating a custom search command:
... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]
or using a csv lookup file
... | outputlookup mydummyresults.csv append=t
Here is something that can help you... First, generate dummy columns and single row of results:
index=nothing_to_see_here |stats count| eval col1="beep" | eval col2="boop"|table col1 col2
┌──────┬──────┐
│ col1 │ col2 │
├──────┼──────┤
│ beep │ boop │
└──────┴──────┘
Append data from another dummy search:
index=nothing_to_see_here |stats count | eval col1="beep" | eval col2="boop" | table col1 col2 | append [search index=nothing_to_see_here | stats count | eval col1="science" | eval col2="magic" | table col1 col2 ]
┌─────────┬───────┐
│ col1 │ col2 │
├─────────┼───────┤
│ beep │ boop │
│ science │ magic │
└─────────┴───────┘
as mentioned above, the correct answer is the markresults command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults
Check out the new "makeresults" command
while the accepted answer above works, it is a trick. the search command makeresults is the correct answer
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults
There are a few options on how to do this without creating a custom search command:
... | append [ | stats count | fields - count | eval name="Bob" | eval phone="555-1234" ]
or using a csv lookup file
... | outputlookup mydummyresults.csv append=t
creative, I think I'm going to hack together a quick script.