Hi all - new here but the answers I've seen so far on stats (ie http://answers.splunk.com/answers/106497/add-a-new-count-field-to-a-table.html) do a group on several fields when one wishes to display several fields in a table (for example).
My question is this: When wishing to display several fields (either ones created yourself or the ones already recognized by splunk), do you use a table, eval or stats to display them?
Eg.: Splunk recognizes all the following fields: uri_path, referer_domain, urlslug, lang.
How can I say "for a given index, count the top uri_path info but display the rest of the recognized fields in the output table".
Something like index="jellyfish" | top showperc=false limit=10 uri_path, referer_domain, urlslug, lang
But I don't wish it to group/aggregate by any field other than the uri_path one. So: "display the other fields if they exist, if not just place a blank value, but don't impact my counting top uri_path data"
Do you guys typically use eval only for custom fields? Or table/chart perhaps for what I'm after?
Thanks for helping this newbie!
... View more