Splunk Search

How can you add a value from the header of a file into the various rows?

pcawdron
Explorer

I'm drawing in multiple files that look something like this... and I need to be able to distinguish between data drawn in from one file as compared to another. So I'm looking to bring something from the header section of the file into the rows.

File #1
\DATA_CATEGORY = "AXA Curve"
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
\PUBLIC = "Y"
\NUMBER_OF_POINTS = "1090"
Col1 Col2 Col3
0001 9876 5555
0001 9876 5555
0001 9876 5555

File #2
\DATA_CATEGORY = "EXA Curve"
\DATA_CATEGORY_DEFINED = "Category of Time Series Data"
\PUBLIC = "Y"
\NUMBER_OF_POINTS = "1090"
Col1 Col2 Col3
0002 3333 6666
0002 4444 6666
0002 2222 6666

What I'm trying to end up with is...
Col1 Col2 Col3 Col4
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0001 9876 5555 AXA Curve
0002 3333 6666 EXA Curve
0002 4444 6666 EXA Curve
0002 2222 6666 EXA Curve

So I can run reports on AXA and EXA separately. Any ideas?

Thanks,
Peter

1 Solution

pcawdron
Explorer

I can get the following search to work...

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source

...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...

sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source

I found another posts that suggested the following would work, but it failed to return anything at all

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn

so I'm close, but no cigar... any ideas?

View solution in original post

0 Karma

pcawdron
Explorer

I can get the following search to work...

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source

...and it works, but if I try to define this as a named column I could add to props.conf, I get an eval error using...

sourcetype=MySource | eval MyColumn = eventstats max(DATA_CATEGORY) by source

I found another posts that suggested the following would work, but it failed to return anything at all

sourcetype=MySource | eventstats max(DATA_CATEGORY) by source as MyColumn | eval ShowColumn = MyColumn

so I'm close, but no cigar... any ideas?

0 Karma

davebrooking
Contributor

I think the final search should be

sourcetype=MySource | eventstats max(DATA_CATEGORY) as MyColumn by source | eval ShowColumn = MyColumn

Dave

0 Karma

pcawdron
Explorer

Perfect. Thank you 🙂

0 Karma

sundareshr
Legend

Why not use source? Source will be the name of the file these events were extracted from.

0 Karma

pcawdron
Explorer

The file names aren't distinct enough, and don't properly identify the value I need. I really just need to be able to use a value from the header as a constant within those particular results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...