Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you include index/sourcetype in table data? (e.g. | table ..., ..., index)

ktrumpol
Path Finder
‎07-02-2013 07:51 PM

Hey guys, having a little trouble with this one.

How does one include the index in a table. This doesn't work:

(index=cwdswindows OR index=cwds) earliest_time="-7d"| stats max(_time) AS last_seen by host | sort host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(last_seen) | table host, last_seen, index

I know it is pretty obvious by which index I search that is obviously the resulting index, but it would be nice if when I am sent the alert I can visibly see the source of the host and time last seen in my data table. I'm guessing since index is not a field, but rather a source full of fields, that is the issue. What is the way around this?

Thanks for any help at all!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

grijhwani
Motivator
‎07-02-2013 08:49 PM

You need to include index in your "stats" clause, otherwise it will not be present for the table clause.

Initially I thought it was because you had "convert" before rather than after "table", but that works either way.

View solution in original post

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-02-2013 09:49 PM

index is an ordinary field like any other. The reason it does not appear for you is that your stats command removes it. It will remove any field except those specified. If you really only have a single index, you modify your stats command by adding either first(index) as index, adding index to the split-by clause.

Reply
Solved! Jump to solution
Solution

grijhwani
Motivator
‎07-02-2013 08:49 PM

You need to include index in your "stats" clause, otherwise it will not be present for the table clause.

Initially I thought it was because you had "convert" before rather than after "table", but that works either way.

Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-03-2013 07:29 AM

Ahah! Including index in my stats clause definitely fixed the issue. Thank you thank you.

0 Karma
Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-02-2013 08:57 PM

Awesome! Thank you for trying to replicate my search to accurately diagnose the issue. I'll be sure to try this and vote your answer if it works.

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎07-02-2013 08:19 PM

it should work like that, you can try without the commas

table host last_seen index
0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎07-02-2013 09:01 PM

No, I did not use convert, he may be right then

0 Karma
Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-02-2013 08:58 PM

Did you try using convert in your search? The guy below said that when using convert, it has to come after table.

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎07-02-2013 08:32 PM

I tried showing the index field in a table and it worked for me with and without the commas... it's worth trying 😉

0 Karma
Reply
Solved! Jump to solution

ktrumpol
Path Finder
‎07-02-2013 08:24 PM

Hm I can't imagine without commas would make the difference, but I will try when I get back to my machine tomorrow! I'll let you know. Thanks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...