Can I tag with search?

kawashita_t · ‎06-27-2017

I would like to tag you at search time.
I'd like to tag the result of the calculation when searching.

ex )
LogID Data1 Data2
1 323 421
2 391 117
3 341 221
4 268 230
5 182 311
6 277 213
7 57 177
8 27 251
9 72 235
10 201 257

Tag the sum of Data 1 and Data 2.

result:

LogID Data1 Data2 tag
1 　　323 　　421 　　744
2 　　391 　　117 　　508
3 　　341 　　221 　　562
4 　　268 　　230 　　498
5 　　182 　　311 　　493
6 　　277 　　213 　　490
7 　　57 　　177 　　234
8 　　27 　　251 　　278
9 　　72 　　235 　　307
10 　　201 　　257 　　458

index=sample
| eval sum=Data1+Data2
| tags outputfield=sum tag  ###Example Tagging syntax

I want you to tell me.
If I can not do that, will I use a summary index etc?

arizviherjavec · ‎02-19-2019

Why not just

| eval tag=Data1+Data2 ?

If you need both tag and sum fields, you can also
| eval sum=tag

inventsekar · ‎06-27-2017

as field "sum" is not indexed, i think you can not use it as a tag.
i think what you are looking for is "calculated field".

Can I tag with search?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability