Add fields that contain common information about the current search.
Adds global information about the search to each event. Currently the following fields are added:
info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search
info_sid: ID of the search that generated the event
info_search_time: time when the search was executed.
Example 1: Add information about the search to each event.
... | addinfo
Example 2: This search uses addinfo collect the time parameters of the outer search and constrain the subsearch so it doesn't run over all time.
specific.server | stats dc(userID) as totalUsers | appendcols [ search specific.server AND "text" | addinfo | where _time >= info_min_time AND _time <=info_max_time | stats count(field) as variableA ] | eval variableB = exact(variableA/totalUsers)
- First, stats counts the number of individual users on a specific server and names that variable "totalUsers".
- Then, appendcols searches the server and counts how many times a certain field occurs on that specific server. This count is renamed "VariableA". The addinfo command is used to constrain this subsearch within the range of info_min_time and info_max_time.
- The eval command is used to define a "variableB".
The result is a table with of totalUsers, variableA, variableB.
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the adinfo command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18