eval a new field base on a search result

gfs2277 · ‎09-20-2014

hey ninjas,

i have a search result like the following:

error_code1 42
error_code2 55
error_code3 62
error_code4 17

i want to append a colum at the right side
the value of the colum is base on a search result ( such as index=nijia | stats count)
i expect it to looked like the this:

error_code1 42 100
error_code2 55 100
error_code3 62 100
error_code4 17 100

i think i should use "eval" to get the new colum , but i do not know how to eval a new field base on a search result
do you have any ideas?

landen99 · ‎11-03-2014

Here are a couple of other options:

| appendcol [subsearch]

as well, but this will only match the values line by line in the order that the results appear from the subsearch. Or you could use

| join field1 [subsearch]

to match the results to the base search as they match on field1.

tpask · ‎01-15-2021

| appendcols [ search .... ] works

somesoni2 · ‎09-20-2014

Your base search giving error_code, count | eval newCol=[ search index=ninja |stats count | return $count]

ruman_splunk · ‎07-11-2019

This didn't work for me, but this did:

| eval [ | rest splunk_server=local /services/server/info | return host ]

MuS · ‎09-20-2014

Did you try addtotals http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Addtotals ?

gfs2277 · ‎09-20-2014

please note the search ( what the eval base on ) just return single value ( not multi-row )
so appendcols will not works in this case

eval a new field base on a search result

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!