Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

addinfo

Synopsis

Add fields that contain common information about the current search.

Syntax

| addinfo

Description

Adds global information about the search to each event. Currently the following fields are added:

  • info_min_time: the earliest time bound for the search
  • info_max_time: the latest time bound for the search
  • info_sid: ID of the search that generated the event
  • info_search_time: time when the search was executed.

Examples

Example 1: Add information about the search to each event.

... | addinfo

Example 2: This search uses addinfo collect the time parameters of the outer search and constrain the subsearch so it doesn't run over all time.

specific.server | stats dc(userID) as totalUsers | appendcols [ search specific.server AND "text" | addinfo | where _time >= info_min_time AND _time <=info_max_time | stats count(field) as variableA ] | eval variableB = exact(variableA/totalUsers)

  • First, stats counts the number of individual users on a specific server and names that variable "totalUsers".
  • Then, appendcols searches the server and counts how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command is used to constrain this subsearch within the range of info_min_time and info_max_time.
  • The eval command is used to define a "variableB".

The result is a table with of totalUsers, variableA, variableB.

See also

search

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the adinfo command.

PREVIOUS
addcoltotals
  NEXT
addtotals

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Thanks, Lalleman! Corrected.

Sophy, Splunker
August 16, 2012

Is there a typo above, or did something change? In 4.3.3, addinfo is returning "info_sid" not "info_search_id".

Lalleman
August 10, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters