Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

addinfo

Description

Adds fields to each event that contain global, common information about the search. This command is primarily an internally-used component of Summary Indexing.

Syntax

addinfo


The following fields are added to each event when you use the addinfo command.

Field Description
info_min_time The earliest time boundary for the search.
info_max_time The latest time boundary for the search.
info_sid The ID of the search that generated the event.
info_search_time The time when the search was run.

Usage

The addinfo command is a distributable streaming command. See Command types.

Examples

1. Add information to each event

Add information about the search to each event.

... | addinfo

2. Determine which heartbeats are later than expected

You can use this example to track heartbeats from hosts, forwarders, tcpin_connections on indexers, or any number of system components. This example uses hosts.

You have a list of host names in a lookup file called expected_hosts. You want to search for heartbeats from your hosts that are after an expected time range. You use the addinfo command to add information to each event that will help you evaluate the time range.

... | stats latest(_time) AS latest_time BY host | addinfo | eval latest_age = info_max_time - latest_time | fields - info_* | inputlookup append=t expected_hosts | fillnull value=9999 latest_age | dedup host | where latest_age > 42

Use the stats command to calculate the latest heartbeat by host. The addinfo command adds information to each result. This search uses info_max_time, which is the latest time boundary for the search. The eval command is used to create a field called latest_age and calculate the age of the heartbeats relative to end of the time range. This allows for a time range of -11m@m to -m@m. This is the previous 11 minutes, starting at the beginning of the minute, to the previous 1 minute, starting at the beginning of the minute. The search does not work if you specify latest=null / all time because info_max_time would be set to +infinity.

Using the lookup file, expected_hosts, append the list of hosts to the results. Using this list you can determine which hosts are not sending a heartbeat in the expected time range. For any hosts that have a null value in the latest_age field, fill the field with the value 9999. Remove any duplicated host events with the dedup command. Use the where command to filter the results and return any heartbeats older than 42 seconds.

In this example, you could use the tstats command, instead of the stats command, to improve the performance of the search.

See also

search

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the adinfo command.

PREVIOUS
addcoltotals
  NEXT
addtotals

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0


Comments

Woodcock - I have updated the JIRA to add the '_index_earliest', '_index_latest' and hostname when the command is updated. Thanks!

Lstewart splunk, Splunker
March 11, 2016

It would also be useful to have the hostname of the search head on which the search is running.

Woodcock
March 10, 2016

Now that `_index_earliest` and `_index_latest` are supported, it would be nice to know those values, too, if they were used to qualify the search.

Woodcock
March 7, 2016

Woodcock - I've updated the JIRA I created previously to add the search name when the command is updated. Thanks!

Lstewart splunk, Splunker
January 11, 2016

Also, the name of the search would be useful, too, for the same reason (do different things based on the name of the search).

Woodcock
January 9, 2016

Thanks for your suggestion! I've logged it as a request for improvement to the command with our development team.

Lstewart splunk, Splunker
August 17, 2015

This command should be expanded to show the "username" of the person running the search so that searches can be written that do different things for different users.

Woodcock
August 14, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters