I want to dynamically add fields to my result set depending on a search I did.
How do I can add fields/new columns based on a search from a result of the main-search ?
index=test
*
| table Computer
| appendcols [ search (index=another_test) Computer=$ParentSearch$.Computer) | head 1 | table Name ]
| table Computer, Name
dynamically. I cant work with lookups for each result because I want to generate the end result each time.
Cant do that manually. I need to be to process this automatically.
Another example:
Lets say I am building a resultset with an query.
When results show up, how can I enrich my resultset with values from another index?
What I am looking is at writing SPLs which run once and during this one-shot they should correlate multiply events from multiply indexes. So result should be further processed and enriched by information from other indexes/columns.
What is the best way to do that with Splunk in one SPL ?
You are looking for the join command, i.e:
index=test
| table Computer
| join Computer [ search (index=another_test) | head 1 | table Name Computer]
This correlates the Computer field both on index test and another_test and join the subsearch fields (except for the matching one).
Dont forget to upvote 🙂
You are looking for the join command, i.e:
index=test
| table Computer
| join Computer [ search (index=another_test) | head 1 | table Name Computer]
This correlates the Computer field both on index test and another_test and join the subsearch fields (except for the matching one).
Dont forget to upvote 🙂
I do not understand much what I want to do
For example, what about this search statement?
(index=test OR index=another_test)
|stats latest(Name) as Name by Computer