topic Re: change column name with specified new column value in Splunk in Splunk Search

change column name with specified new column value in Splunk

vikas_baranwal — Tue, 26 Jun 2018 10:46:35 GMT

Hi,

I am having correct value in current field and want to use that value as column name which is currently showing as A. Please help to solve this issue. For any other information please let me know.

e.g if current is '06-24-2018' then in table header row should have column name as '06-24-2018'

| base search
| eval current = strftime(currentTime,"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| table "Project",A

Re: change column name with specified new column value in Splunk

paulbannister — Tue, 26 Jun 2018 11:03:34 GMT

Hi There,

Can you expand on the problem a little more, such as what the data looks like and your expected outcome? At first glance from the above data my thoughts would be to use the CHART command by the field in question

Re: change column name with specified new column value in Splunk

vikas_baranwal — Tue, 26 Jun 2018 11:14:59 GMT

I want to display column name with a date as an output of eval command and This date is also coming from a eval command output.
Hope this information helps you to provide me solution.
Thanks in advance!

Re: change column name with specified new column value in Splunk

niketn — Tue, 26 Jun 2018 11:58:14 GMT

@vikas_baranwal can you give the output table format. While it is clear that you need Date as table header, it is not clear what would each row look like. What is your current data. Sample data and current table and expected table format would be helpful.

Re: change column name with specified new column value in Splunk

Sukisen1981 — Tue, 26 Jun 2018 11:58:28 GMT

something like this -

Use the value of one field as the name for a new field In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field. See Field names under the Usage section.

index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value
in your case |eval {current}=A
Ref. http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval#4._Use_the_value_of_one_field_as_the_name_for_a_new_field

After running this you need to check your interesting field and add a last | stats values(06-15-2018) by "Project"
assuming your currentTime value is 06-15-2018

Re: change column name with specified new column value in Splunk

vikas_baranwal — Wed, 27 Jun 2018 10:33:07 GMT

My current SPL is like below in which currently weeks are hard -coded with values.

| eval "06-04-2018" = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval "05-28-2018" = if(P1P1>0 OR P2P1>0,"R",if(P3P1>0,"Y","G"))
| eval "05-21-2018" = if(P1P2>0 OR P2P2>0,"R",if(P3P2>0,"Y","G"))
| eval "05-14-2018" = if(P1P3>0 OR P2P3>0,"R",if(P3P3>0,"Y","G"))
| eval "05-07-2018" = if(P1P4>0 OR P2P4>0,"R",if(P3P4>0,"Y","G"))
| table "Project","05-07-2018","05-14-2018","05-21-2018","05-28-2018"," 06-04-2018"
| sort Project

Using above query in SPL, data is in showing in below structure(Project field is already exist in the event data).

[Screenshot attached ]

Now I want to display my header column with week’s date. I modified query as advised by you but it did not work.

| eval current = strftime(relative_time(now(),"@w1"),"%m-%d-%Y")
| eval A = if(P1C>0 OR P2C>0,"R",if(P3C>0,"Y","G"))
| eval {current} = A

Thanks in advance for your help!
alt text

Re: change column name with specified new column value in Splunk

Sukisen1981 — Tue, 29 Sep 2020 20:12:40 GMT

Hi,
Perhaps I am not getting your use case or I am not able to explain. At any rate I have written a query on the default _audit index , so that you can run the query as it is (select last 24 hours)
index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-27-2018

Now, the 06-27-2018 needs to be replaced by current day -1, so if you run this on 30th June you would write something like - index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-29-2018

Is this something like what you need?