topic Re: help to rename automatically random pie label in Splunk Search

help to rename automatically random pie label

jip31 — Wed, 30 Sep 2020 01:24:45 GMT

I use the search below

[| inputlookup host.csv 
    | table host] index="x" sourcetype="x"
| bucket _time span=3m 
| where process_cpu_used_percent>80 
| dedup host process_name 
| stats count(host) as Total by process_name 
| sort -Total limit=10

process_name correspond to a piece of my pie chart and can be different at each times
I search an solution to rename automatically the process_name because one of them are not explicit
example : I have a process_name called "mfevtp" which correspond to McAFEE
So I want to display "McAFEE" in my label instead "mfevtp"
How to do this please?
thanks
regards

Re: help to rename automatically random pie label

jitendragupta — Wed, 30 Sep 2020 01:20:18 GMT

What does this query give you? ->
index="x" sourcetype="x" | table process_name | dedup process_name

The only output of this query comes as a label in your pie chart.
I am not sure whether aliasing is there or not in Splunk. You can try this manual process:

 [| inputlookup host.csv 
     | table host] index="x" sourcetype="x"
 | bucket _time span=3m 
 | where process_cpu_used_percent>80 
 | dedup host process_name 
 | stats count(host) as Total by process_name 
 | sort -Total limit=10) | eval process_name=if(process_name="mfevtp","McAFEE ",process_name)

Re: help to rename automatically random pie label

jip31 — Wed, 30 Sep 2020 01:25:07 GMT

thanks it works but sometimes I have not the exact name for the process name
and if I do eval process_name=if(process_name="mfevtp*","McAFEE ",process_name) it doesnt works
an idea please??

Re: help to rename automatically random pie label

jitendragupta — Fri, 19 Jul 2019 09:37:19 GMT

If u know all possible values of the process_name, add them together in a case statement.

Re: help to rename automatically random pie label

jip31 — Fri, 19 Jul 2019 10:37:38 GMT

yes but my question is why I can use *
sometime a process name can be named "mfetvtp1" or "mfevtp2"
But both have to be called McAFEE
So why I can do process_name="mfevtp*"??

Re: help to rename automatically random pie label

jip31 — Wed, 30 Sep 2020 01:25:32 GMT

My case eval works but sometimes I need to use *

`| eval process_name=case(process_name=="mfevtps*")
But when I am doing * I have no results
How to use * in my case eavl please?

Re: help to rename automatically random pie label

vnravikumar — Mon, 22 Jul 2019 09:27:09 GMT

Try this

...<your query>| eval process_name = if(like(process_name,"mfetvtp%"),"McAFEE",process_name)

Re: help to rename automatically random pie label

jip31 — Mon, 22 Jul 2019 09:57:06 GMT

hi it seems to be ok!
last question, I have a lot of process name
so how to concatene them in if like??

Re: help to rename automatically random pie label

vnravikumar — Mon, 22 Jul 2019 10:04:50 GMT

Try like

| eval process_name = case(like(process_name,"mfetvtp%"),"McAFEE",like(process_name,"abc%"),"ABC",1=1,process_name)

keep1=1 in your query, if none of the condition was matched it will return the value.

If its fine, please accept the answer.

Re: help to rename automatically random pie label

jip31 — Mon, 22 Jul 2019 10:16:17 GMT

many thanks