topic Re: Basic Table Header Rename in Getting Data In

Basic Table Header Rename

Mkaz — Tue, 29 Sep 2020 12:58:23 GMT

I checked through the answers and cannot find anything that matches or will work...

I am asking how to rename a table header that is being displayed in a query/dashboard. The log file was indexed with a header name of _time. I would like to name it Date and Time.

Query is:

index="ti_is_st" sourcetype="xfer_log" | regex _raw="^.+*$" | rex field=_raw "^(\S+\s+){8}\/(([^\s\/]+\/)+)(?<fileName>.+)(\s+\S+){8}$" |rex field=File_Status "(?<File_Status>(i|j|k|o|p|q))\s"|search "$field2$" "$field3$" |table _time ip_address Service_Account fileName File_Size File_Status |replace o with "Download Successful" i with "Upload Successful" j with "Upload Errored" k with "Upload Aborted" p with "Download Errored" q with "Download Aborted" in File_Status

Thanks

Re: Basic Table Header Rename

richgalloway — Thu, 23 Feb 2017 14:44:05 GMT

`... | rename _time as "Date and Time" | ...

Re: Basic Table Header Rename

Mkaz — Thu, 23 Feb 2017 14:55:58 GMT

Thanks... Does this then change the column name in the index so then _time variable is no longer available? When I used the rename, it appears to change the format to a number as shown below.

2017-02-23 09:49:25 becomes 1487861301

Re: Basic Table Header Rename

richgalloway — Thu, 23 Feb 2017 16:27:01 GMT

Indexes never change. You have to use the rename command on every search that does not want to display "_time".
I forgot about the implicit fieldformat for _time. Try ... | rename _time as "Date and Time" | fieldformat 'Date and Time'=strftime('Date and Time', "%Y-%m-%d %H:%M:%S") | ...

Re: Basic Table Header Rename

cboillot — Wed, 23 Oct 2019 18:18:04 GMT

For those that come to this post via searching, to get this to work, i have to do the following:

| fieldformat "Date and Time"=strftime('Date and Time', "%Y-%m-%d %H:%M:%S")

Full quotes around Date and Time after fieldformat