Splunk Search

Help with forming a table with sourcename next to the first column for each row?

charanramireddy
New Member

Hi,

I'm searching multiple sources in a single index and getting the results as a table. I want to display the sourcename next to the first column for each row. How can I do that ?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

 index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local source | sort 0 - COL2

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

 index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local source | sort 0 - COL2
0 Karma

charanramireddy
New Member

this is exactly what I was looking for.

0 Karma

Sukisen1981
Champion

index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local | sort 0 - COL2
If I just add
index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local, latest (source) as COL5 | sort 0 - COL2
or if you want to see ALL the source values in one go
index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local, values (source) as COL5 | sort 0 - COL2

Coming back to what @niketnilay is asking is source an auto discovered field or you want to extract a custom source field?

0 Karma

charanramireddy
New Member

This is my sample search

index=ssc | multikv forceheader=6 | stats latest(CQD) as COL1, latest(PQF) as COL2, latest(OIC) as COL3, latest(OUC) as COL4 by Local | sort 0 - COL2

and I want a new column appended with source values as second column.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You mean like this?

<base search> | table foo source ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

charanramireddy
New Member

yes but

table  "prior column names" source 

shows empty column for source.

0 Karma

niketn
Legend

@charanramireddy, Are you saying the following works

 <YourBaseSearch>
| table source foo

But revrsing the sequence does not?

 <YourBaseSearch>
| table source foo

What type of data input is it? What is going to be the first column in the table? Are you able to see source names when you run your base search under interesting fields? What is the exact table command you are running?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Sukisen1981
Champion

not really claer what you want, can you give a sample of what your table looks like currently and how you would want it to appear?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...