How to add additional columns in search results ba...

email2vimalraj · ‎10-03-2019

I've a search like this:

(api=*/getUser) OR (api=/api/v1/addUser component=Comp1) OR (api=/api/v1/addUser component=Comp2) | table api, component

But I wanted to add two more columns some thing like the below:

latency            flowname api                    component
Latency from comp1  Get User    /comp1/api/v1/getUser   Comp1
Latency from comp2  Get User    /comp2/api/v1/getUser   Comp2
Latency from comp1  Add User    /api/v1/addUser           Comp1
Latency from comp2  Add User    /api/v1/addUser           Comp2

I thought to use eval, but writing eval with many checks and balances in case of many API component combination doesn't sound great. Is there any solution to handle it?

gcusello · ‎10-03-2019

Hi email2vimalraj,
if you have many but not thousands combinations, you could use a lookup in which insert the possible combinations to display.

I don't know if the example are exaustive, but it seems possible to extract them using regexes and eval:

| rex field=api ".*\/(?<flowName>\w+)$"
| eval latency="latency from ".component, flowName=case(flowName="getUser","Get User",flowName="addUser","Add User")

Bye.
Giuseppe

How to add additional columns in search results based on the field

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor