Hello:
I am trying to add a column to the results table, the reason for this is so that I can then use that value for populating a token. Here is the search:
1. <search here>
2. | chart latest(Data) AS "Data" over Time by Thread
3. | sort + Time
4. | eval Goal=25
5. | eval Min=18
6. | eval LastPrimer=Primer
The results table of this looks like:
Time Goal Min data1 data2 data3
0 25 18 29.2728 26.2105 14.8187
1 25 18 29.6007 28.9153 14.9330
I want to also see LastPrimer in the results table. Primer is an indexed field.
Hello,
You can use appendcols command:
<search here>
| chart latest(Data) AS "Data" over Time by Thread
| sort + Time
| eval Goal=25
| eval Min=18
| appendcols [search <search here> | eval LastPrimer=Primer | table LastPrimer`]
Simple Example (You can past this request in your bare search):
index="_internal"
| bin _time span=1d
| stats count by _time
| appendcols
[search index="_internal"
| table log_level
| dedup log_level]