Splunk Search

How to add a row into table?

jyamie
Explorer

How can I add a row into a table either manually or through a look-up table? I would like to insert the row right below the column headers, and will use them to include descriptions of each column.

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

There are two ways you can achieve this

1) Manually providing the description of columns in the search
Assuming, your output columns names are col1, col2 and col3 and appear in the output in same order. So try something like this

| gentimes start=-1 | eval col1="Description of col1" | eval col2="Description of col2" | eval col3="Description of col3" | table col1 col2 col3| append [ Your current search providing results with columns col1 col2 col3] 

2) Using a lookup to add description
Assuming you've a lookup table file named FieldDescription.csv with two fields as 'field' and 'desc' try this.

Your current search providing results with columns col1 col2 col3 | eval sortcolumn=1| appendpipe [| stats first(*) as * | transpose | lookup FieldDescription.csv field as column OUTPUT desc | xyseries "row 1" column desc | fields - "row 1" | eval sortcolumn=0 ] | sort sortcolumn | fields - sortcolumn

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

There are two ways you can achieve this

1) Manually providing the description of columns in the search
Assuming, your output columns names are col1, col2 and col3 and appear in the output in same order. So try something like this

| gentimes start=-1 | eval col1="Description of col1" | eval col2="Description of col2" | eval col3="Description of col3" | table col1 col2 col3| append [ Your current search providing results with columns col1 col2 col3] 

2) Using a lookup to add description
Assuming you've a lookup table file named FieldDescription.csv with two fields as 'field' and 'desc' try this.

Your current search providing results with columns col1 col2 col3 | eval sortcolumn=1| appendpipe [| stats first(*) as * | transpose | lookup FieldDescription.csv field as column OUTPUT desc | xyseries "row 1" column desc | fields - "row 1" | eval sortcolumn=0 ] | sort sortcolumn | fields - sortcolumn

jyamie
Explorer

when i do the lookup method, i get each description taking up its own row, so i end up with a layer of many rows. how can i merge them together? i followed your lookup query exactly

0 Karma

jyamie
Explorer

i do have some empty cells, which may be why, in my lookup table

0 Karma

jyamie
Explorer

thanks, i haven't tried the lookup yet, but manually providing the descriptions worked great!

0 Karma

woodcock
Esteemed Legend

Like this:

... | append [ | noop | stats count AS desc1 | eval _time=now() + 1 |  eval desc1="This describes field 1" | eval desc2="This describes field2" ] | sort 0 - _time

Or you can swap all the _time stuff with a bookend of leading and trailing | reverse commands to put your appended row on top.

woodcock
Esteemed Legend

BTW, this solution deliberately does NOT put your main search as the subsearch in the append command because this imposes subsearch limits on your search. Beware of any answers that subsearches your main search.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...