There are two ways you can achieve this
1) Manually providing the description of columns in the search
Assuming, your output columns names are col1, col2 and col3 and appear in the output in same order. So try something like this
| gentimes start=-1 | eval col1="Description of col1" | eval col2="Description of col2" | eval col3="Description of col3" | table col1 col2 col3| append [ Your current search providing results with columns col1 col2 col3]
2) Using a lookup to add description
Assuming you've a lookup table file named FieldDescription.csv with two fields as 'field' and 'desc' try this.
Your current search providing results with columns col1 col2 col3 | eval sortcolumn=1| appendpipe [| stats first(*) as * | transpose | lookup FieldDescription.csv field as column OUTPUT desc | xyseries "row 1" column desc | fields - "row 1" | eval sortcolumn=0 ] | sort sortcolumn | fields - sortcolumn
There are two ways you can achieve this
1) Manually providing the description of columns in the search
Assuming, your output columns names are col1, col2 and col3 and appear in the output in same order. So try something like this
| gentimes start=-1 | eval col1="Description of col1" | eval col2="Description of col2" | eval col3="Description of col3" | table col1 col2 col3| append [ Your current search providing results with columns col1 col2 col3]
2) Using a lookup to add description
Assuming you've a lookup table file named FieldDescription.csv with two fields as 'field' and 'desc' try this.
Your current search providing results with columns col1 col2 col3 | eval sortcolumn=1| appendpipe [| stats first(*) as * | transpose | lookup FieldDescription.csv field as column OUTPUT desc | xyseries "row 1" column desc | fields - "row 1" | eval sortcolumn=0 ] | sort sortcolumn | fields - sortcolumn
when i do the lookup method, i get each description taking up its own row, so i end up with a layer of many rows. how can i merge them together? i followed your lookup query exactly
i do have some empty cells, which may be why, in my lookup table
thanks, i haven't tried the lookup yet, but manually providing the descriptions worked great!
Like this:
... | append [ | noop | stats count AS desc1 | eval _time=now() + 1 | eval desc1="This describes field 1" | eval desc2="This describes field2" ] | sort 0 - _time
Or you can swap all the _time
stuff with a bookend of leading and trailing | reverse
commands to put your appended row on top.
BTW, this solution deliberately does NOT put your main search as the subsearch
in the append
command because this imposes subsearch
limits on your search. Beware of any answers that subsearches your main search.