- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you include index/sourcetype in table data?...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys, having a little trouble with this one.
How does one include the index in a table. This doesn't work:
(index=cwdswindows OR index=cwds) earliest_time="-7d"| stats max(_time) AS last_seen by host | sort host | convert timeformat="%m/%d/%Y %H:%M:%S" ctime(last_seen) | table host, last_seen, index
I know it is pretty obvious by which index I search that is obviously the resulting index, but it would be nice if when I am sent the alert I can visibly see the source of the host and time last seen in my data table. I'm guessing since index is not a field, but rather a source full of fields, that is the issue. What is the way around this?
Thanks for any help at all!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to include index in your "stats" clause, otherwise it will not be present for the table clause.
Initially I thought it was because you had "convert" before rather than after "table", but that works either way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index is an ordinary field like any other. The reason it does not appear for you is that your stats command removes it. It will remove any field except those specified. If you really only have a single index, you modify your stats command by adding either first(index) as index, adding index to the split-by clause.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to include index in your "stats" clause, otherwise it will not be present for the table clause.
Initially I thought it was because you had "convert" before rather than after "table", but that works either way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahah! Including index in my stats clause definitely fixed the issue. Thank you thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Thank you for trying to replicate my search to accurately diagnose the issue. I'll be sure to try this and vote your answer if it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it should work like that, you can try without the commas
table host last_seen index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I did not use convert, he may be right then
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try using convert in your search? The guy below said that when using convert, it has to come after table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried showing the index field in a table and it worked for me with and without the commas... it's worth trying 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm I can't imagine without commas would make the difference, but I will try when I get back to my machine tomorrow! I'll let you know. Thanks.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
