hey ninjas,
i have a search result like the following:
error_code1 42
error_code2 55
error_code3 62
error_code4 17
i want to append a colum at the right side
the value of the colum is base on a search result ( such as index=nijia | stats count)
i expect it to looked like the this:
error_code1 42 100
error_code2 55 100
error_code3 62 100
error_code4 17 100
i think i should use "eval" to get the new colum , but i do not know how to eval a new field base on a search result
do you have any ideas?
Here are a couple of other options:
| appendcol [subsearch]
as well, but this will only match the values line by line in the order that the results appear from the subsearch. Or you could use
| join field1 [subsearch]
to match the results to the base search as they match on field1.
| appendcols [ search .... ] works
Your base search giving error_code, count | eval newCol=[ search index=ninja |stats count | return $count]
This didn't work for me, but this did:
| eval [ | rest splunk_server=local /services/server/info | return host ]
Did you try addtotals http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Addtotals ?
please note the search ( what the eval base on ) just return single value ( not multi-row )
so appendcols will not works in this case